[Security] About the Firefox 3 Security Dialog & others
js-xmpp-security at webkeks.org
Fri Aug 22 10:22:54 CDT 2008
As many of you might already know:
I will take this as an opportunity to state my opinion on our problems
with certs :)
If we have a CA, we need to warn for self-signed certs. But if we do
it like Firefox 3 - which some here considered the right way - it will
scare users away - they can't talk or won't use crypto at all.
Another problem is that a CA means a single point of failure. If that
CA is broken, someone can forge everyone. Plus I don't trust CAs
So what's left?
* Self-signed keys
The problem with self-signed keys is that the fingerprint you need to
verify is very long and most users just won't verify it.
The problem with GPG is that this is geeks-only.
The problem with SRP is bots.
So, I think we shouldn't concentrate on one of these. We should have
more than 1 way. For example, if we have SRP and self-signed certs,
we'd be fine. For bots, we could also add a CA so bots of the same
owner trust each other by just having the root cert.
Any thoughts on this?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: This is a digitally signed message part
Url : http://mail.jabber.org/pipermail/security/attachments/20080822/26487c49/attachment.pgp
More information about the Security