[Security] TLS Certificates Verification

Remko Tronçon remko at el-tramo.be
Thu Aug 21 02:44:07 CDT 2008


> But Remko's right, if we require two passwords (one for Jabber, one for a
> private key) then a lot of people will just make them the same, completely
> defeating the point.  I think we'll have this problem whether or not the
> private keys are stored on the server or locally.

Exactly, and I don't think we should care. It's impossible for someone
to have a secure communication if that person is not willing to read
and follow dialogs. It's our job to educate people the best that we
can (cfr. Firefox 3's error dialog on self-signed certificates,
Brendan's Gajim UI, ...), and if people still choose to ignore this,
that's their problem.

We should, however, never compromise security for people who *do*
care, so I'm not a fan of most of the 'aunt tilly' points in these
security threads (unless they are about *explaining* security in a
clear way to aunt tilly).

cheers,
Remko


More information about the Security mailing list