[Security] TLS Certificates Verification

Dave Cridland dave at cridland.net
Wed Aug 20 12:53:36 CDT 2008

On Wed Aug 20 18:43:32 2008, Peter Saint-Andre wrote:
> And that's not even to get into the Layer 8 issues of what the IETF  
> security mafia might find acceptable -- RFC 3921 requires support  
> for RFC 3923 and we need to substitute something reasonable for  
> that ugly ugly S/MIME stuff that no one has ever implemented and no  
> one ever will.

Hmmm... Now probably not a good time to mention that we probably  
*will* need to have a per-stanza signing (and possible encrypting)  
spec in some cases, too. Luckily, these are all specialist cases,  
like signing pubsub items, MUC messages, etc. And, erm, security  
labelling. Because this is signature stuff, X.509 is basically our  
single weapon of choice here - we could do S/MIME, therefore, but  
even the people doing this stuff now aren't using S/MIME.

FWIW, all the use cases I know of are not encrypted, just signed, at  
least for now - encrypted MUC or pubsub isn't on my radar.

I'm vaguely hoping the W3C dsig stuff has ended up a bit more proven  
and working by the time we need this, though, so we again save  
ourselves from having to reinvent wheels.

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Security mailing list