[Security] TLS-SRP Questions

Kurt Zeilenga Kurt.Zeilenga at Isode.com
Thu Aug 21 15:31:51 CDT 2008

On Aug 21, 2008, at 12:19 PM, Dirk Meyer wrote:

> Jonathan Dickinson wrote:
>> And my hard-laboured formatting got messed up.
> :)
>> Initiator opens connection
>> Target gets connection and presents certificate
>> Initiator verifies certificate with IC -> Fail if invalid
>> Initiator presents certificate
>> Target verifies certificate -> Fail if invalid
>> Success
>> The point is, from what I can tell, TLS supports all of that.
> Yes, but the question is how to verify a certificate from someone you
> do not know which is not signed by a CA. Or I'm I missing something in
> your argumentation?


I understand the problem is that a user A asserts they are some  
jabberid to user B, and now B wants to establish a "secure" channel  
with A.
B connects to the asserted jabberid and establishes a secure channel.   
Now B wants to prove that person that its A on the other end of
this channel.

Note that B may not know or care who A is (other than they are the  
person that made the assertion).

Presumedly A asserted some sort of fingerprint of their certificate at  
the same time they asserted their jabberid.

In this case, it seems that all B needs to do is check that the  
certificate presumedly by A in establishing the "secure" channel has  
the same fingerprint.

Why would there be any need to otherwise "verify" A's certificate?

-- Kurt

> Dirk
> -- 
> A bad random number generator: 1, 1, 1, 1, 1, 4.33e+67, 1, 1, 1...

More information about the Security mailing list