[Security] TLS Certificates Verification

Peter Saint-Andre stpeter at stpeter.im
Thu Aug 21 07:29:19 CDT 2008


Remko Tronçon wrote:
>> But Remko's right, if we require two passwords (one for Jabber, one for a
>> private key) then a lot of people will just make them the same, completely
>> defeating the point.  I think we'll have this problem whether or not the
>> private keys are stored on the server or locally.
> 
> Exactly, and I don't think we should care. It's impossible for someone
> to have a secure communication if that person is not willing to read
> and follow dialogs. It's our job to educate people the best that we
> can (cfr. Firefox 3's error dialog on self-signed certificates,
> Brendan's Gajim UI, ...), and if people still choose to ignore this,
> that's their problem.
> 
> We should, however, never compromise security for people who *do*
> care, so I'm not a fan of most of the 'aunt tilly' points in these
> security threads (unless they are about *explaining* security in a
> clear way to aunt tilly).

+1, well said!

/psa


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080821/82cba0b5/attachment.bin 


More information about the Security mailing list