[Security] TLS-SRP Questions

Kurt Zeilenga Kurt.Zeilenga at Isode.com
Thu Aug 21 17:30:42 CDT 2008


On Aug 21, 2008, at 3:21 PM, Kurt Zeilenga wrote:

>
> On Aug 21, 2008, at 2:34 PM, Dirk Meyer wrote:
>
>> Kurt Zeilenga wrote:
>>> On Aug 21, 2008, at 1:38 PM, Jonathan Dickinson wrote:
>>>
>>>>> -----Original Message-----
>>>>> From: security-bounces at xmpp.org [mailto:security- 
>>>>> bounces at xmpp.org] On
>>>>> Behalf Of Kurt Zeilenga
>>>>> Sent: Thursday, August 21, 2008 10:32 PM
>>>>> To: XMPP Security
>>>>> Subject: Re: [Security] TLS-SRP Questions
>>>>>
>>>>>
>>>>> On Aug 21, 2008, at 12:19 PM, Dirk Meyer wrote:
>>>>>
>>>>>> ...
>>>>>
>>>>> Why would there be any need to otherwise "verify" A's certificate?
>>>>
>>>> So B knows who they are talking to ;).
>>>
>>> Does B care to who A is more than its the person that asserted they
>>> were some jabberid?
>>
>> Yes, I want mutal trust.
>
> Should I parse this 'Yes and I want mutual trust'?   That is, just  
> 'Yes' to my question doesn't imply you want mutual trust.

Or to put it another way, mutual authentication can be provided for  
the 'yes' answer as well as for the 'no' answer.  My question was not  
about one-way v. mutual authentication, it was about what each is  
authenticating.

> That's yet another thing.
>
> By the way, the point of these questions is to try to clarify what  
> the problems are that you and others are trying to solve.
>
> Some, I think, would have answered 'no' (B doesn't care who A is  
> more than its the person that asserted they were some jabberid).
>
>> Maybe the server is compromised or I do not
>> have a server (link local messaging). We need trust in both
>> directions.
>>
>>
>> Dirk
>>
>> -- 
>> Black holes are where God divided by zero.
>



More information about the Security mailing list