[Security] TLS Certificates Verification
dave at cridland.net
Wed Aug 20 12:49:08 CDT 2008
On Wed Aug 20 18:03:35 2008, Jonathan Schleifer wrote:
> > It's certainly true that on old hardware, or mobile handsets,
> > generating an RSA key will take a while, albeit it typically not
> > hour. But we can also arrange for standard methods for
> > the private key to other devices, and for actual devices (in the
> > sense that Dirk Meyer wants to deal with) the key can be
> > pregenerated by the hardware manufacturer, like is done with the
> > iPhone.
> I wouldn't trust the manufacturer for that. I really wouldn't.
Well, possibly not, but we do for Bluetooth, essentially. I suspect
it depends on what you're trying to achieve with the device in
> > Or TLS, of course.
> > But humour me for a moment:
> > What makes ESessions such a win against TLS?
> It's already implemented and working :).
So is TLS, in multiple implementations. Sure, "XTLS" has only one
implementation, but that's (very) easily rectified - and I could
probably do so quickly if Gajim happens to have a Jingle engine,
since I've got the remaining bits I think.
> > Why would my customers be happier with ESessions over TLS?
> No need to have keys etc. Yes, I know, you can have that with TLS,
> it seems everybody here thinks "If TLS, then public keys!".
I'm not sure about that - I'll defer to Ekr here, who seems to think
we need assymetric crypto somewhere. I'm certainly inclined to think
that the benefits of having public keys for identity purposes are
hugely useful, not least of which when trying to fit into an existing
Perhaps I simply don't understand the alternatives, but I'm pretty
damn sure that Ekr does.
> > What analysis can I show them?
> None, that's why I suggested to contact Google or another premium
> sponsor if they could sponsor an analysis. None of the sponsors has
> been contacted for that yet.
Sure, but on the other hand, TLS and its encryption algorithms *have*
been heavily analyzed, as well as having been subject to attack in
the field for many years. Switching to TLS seems to be a much better
use of our sponsor's funds on that basis, and would be even if PSA's
figures were inflated by a factor of several thousand.
> > What IPR issues affect ESessions that I need to warn them about?
> I'm not aware of any :).
Right - so you did the patent searches yourself? Will you indemnify
my customers if some IPR comes to light?
Alternately, we could rely on TLS being to widely deployed that it
seems unfeasable that any submarine patents haven't come to light yet.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Security