[Security] TLS Certificates Verification

Peter Saint-Andre stpeter at stpeter.im
Wed Aug 20 12:58:09 CDT 2008

Dave Cridland wrote:
> On Wed Aug 20 18:43:32 2008, Peter Saint-Andre wrote:
>> And that's not even to get into the Layer 8 issues of what the IETF 
>> security mafia might find acceptable -- RFC 3921 requires support for 
>> RFC 3923 and we need to substitute something reasonable for that ugly 
>> ugly S/MIME stuff that no one has ever implemented and no one ever will.
> Hmmm... Now probably not a good time to mention that we probably *will* 
> need to have a per-stanza signing (and possible encrypting) spec in some 
> cases, too. Luckily, these are all specialist cases, like signing pubsub 
> items, MUC messages, etc. And, erm, security labelling. Because this is 
> signature stuff, X.509 is basically our single weapon of choice here - 
> we could do S/MIME, therefore, but even the people doing this stuff now 
> aren't using S/MIME.
> FWIW, all the use cases I know of are not encrypted, just signed, at 
> least for now - encrypted MUC or pubsub isn't on my radar.

Yes, I have heard of interest in signing pubsub notifications. MUC is 
another story, but I think we'd want a separate thread for that!

> I'm vaguely hoping the W3C dsig stuff has ended up a bit more proven and 
> working by the time we need this, though, so we again save ourselves 
> from having to reinvent wheels.


/me signs up for w3c-ietf-xmldsig at w3.org


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/e4c2cdeb/attachment-0001.bin 

More information about the Security mailing list