[Security] TLS-SRP Questions

Kurt Zeilenga Kurt.Zeilenga at Isode.com
Thu Aug 21 15:31:51 CDT 2008


On Aug 21, 2008, at 12:19 PM, Dirk Meyer wrote:

> Jonathan Dickinson wrote:
>> And my hard-laboured formatting got messed up.
>
> :)
>
>> Initiator opens connection
>> Target gets connection and presents certificate
>> Initiator verifies certificate with IC -> Fail if invalid
>> Initiator presents certificate
>> Target verifies certificate -> Fail if invalid
>> Success
>>
>> The point is, from what I can tell, TLS supports all of that.
>
> Yes, but the question is how to verify a certificate from someone you
> do not know which is not signed by a CA. Or I'm I missing something in
> your argumentation?

Dirk,

I understand the problem is that a user A asserts they are some  
jabberid to user B, and now B wants to establish a "secure" channel  
with A.
B connects to the asserted jabberid and establishes a secure channel.   
Now B wants to prove that person that its A on the other end of
this channel.

Note that B may not know or care who A is (other than they are the  
person that made the assertion).

Presumedly A asserted some sort of fingerprint of their certificate at  
the same time they asserted their jabberid.

In this case, it seems that all B needs to do is check that the  
certificate presumedly by A in establishing the "secure" channel has  
the same fingerprint.

Why would there be any need to otherwise "verify" A's certificate?

-- Kurt



>
>
> Dirk
>
>
> -- 
> A bad random number generator: 1, 1, 1, 1, 1, 4.33e+67, 1, 1, 1...



More information about the Security mailing list