[Security] TLS Certificates Verification
stpeter at stpeter.im
Wed Aug 20 13:24:30 CDT 2008
Jonathan Dickinson wrote:
>> -----Original Message----- From: security-bounces at xmpp.org
>> [mailto:security-bounces at xmpp.org] On Behalf Of Peter Saint-Andre
>> Sent: Wednesday, August 20, 2008 7:19 PM To: XMPP Security Subject:
>> Re: [Security] TLS Certificates Verification
>> As mentioned, the estimates I received indicated that a full
>> cryptanalysis for ESessions would cost between $100,000 and
>> $200,000. That's not exactly chump change.
>> Feel free to raise that money yourself, but until we have some kind
>> of closure to these discussions, I am not about to approach
>> *anyone* for money. And given that I have slowly come to see the
>> logic of using TLS-over-XMPP, I am not enthusiastic about raising
>> large sums of money for an ESessions cryptanalysis. And presumably
>> anyone who might fork over $100k-$200k would do some due diligence,
>> read these discussion threads and the relevant specs, and ask why
>> we're not just using TLS-over-XMPP.
> I was hoping someone else would latch onto that, I didn't really want
> to shoot down Jonathan's ideas.
I don't think that people hand over $100k just because they latch onto
an idea. Someone needs to sell them on it. I have already sold ESessions
once and it didn't go so well:
Once bitten, twice shy.
> To me ESessions is a great idea, it's
> just that it will potentially take a while to get cryptananlysed and
> so on. Maybe if we just kept it on the back burner for now and
> concentrated on solutions besides it.
Not a bad idea. We'll focus on the low-hanging fruit of TLS-over-XMPP
for a bit and see how that goes. We can always return to ESessions if
that doesn't work out.
> This thread kinda reminds me of the good ol' days when I suggested
> binary XML ;).
Yum, broccoli ice cream! :)
> Maybe if everyone threw their suggestions into the thread right now
> (mentioned or not) so that we can all look at the options in front of
I think it's most productive to look at the various authentication
models, as ekr suggested, rather than pushing for a particular technology.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/3498b797/attachment-0001.bin
More information about the Security