[Security] TLS-SRP Questions

Dave Cridland dave at cridland.net
Thu Aug 21 15:35:33 CDT 2008


On Thu Aug 21 21:25:51 2008, Jonathan Dickinson wrote:
> We can have xmpp.net as the IC.

Assuming, by IC, you mean CA, I don't think the vast majority of  
users will want to trouble themselves with a CA signed certificate.

I think the majority of users will be fine with a self-signed cert  
and either leap-of-faith or some form of authentication code, whether  
that's SAS, fingerprint exchange, or whatever.

Moreover, I think that level of security is just fine, too - I think  
the kinds of deployments where X.509 PKI is important will have their  
own infrastructure in place, and will want all the exciting things  
like signed pubsub and MUC, and similar kinds of fun and games, where  
a lot of this kind of security won't apply at all.

In those kinds of deployment, end-to-end encryption is often not  
important, or even allowed - just the strong authentication is what's  
needed.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Security mailing list