[Security] TLS Certificates Verification
dave at cridland.net
Wed Aug 20 12:53:36 CDT 2008
On Wed Aug 20 18:43:32 2008, Peter Saint-Andre wrote:
> And that's not even to get into the Layer 8 issues of what the IETF
> security mafia might find acceptable -- RFC 3921 requires support
> for RFC 3923 and we need to substitute something reasonable for
> that ugly ugly S/MIME stuff that no one has ever implemented and no
> one ever will.
Hmmm... Now probably not a good time to mention that we probably
*will* need to have a per-stanza signing (and possible encrypting)
spec in some cases, too. Luckily, these are all specialist cases,
like signing pubsub items, MUC messages, etc. And, erm, security
labelling. Because this is signature stuff, X.509 is basically our
single weapon of choice here - we could do S/MIME, therefore, but
even the people doing this stuff now aren't using S/MIME.
FWIW, all the use cases I know of are not encrypted, just signed, at
least for now - encrypted MUC or pubsub isn't on my radar.
I'm vaguely hoping the W3C dsig stuff has ended up a bit more proven
and working by the time we need this, though, so we again save
ourselves from having to reinvent wheels.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Security