[Security] About the Firefox 3 Security Dialog & others
melo at simplicidade.org
Fri Aug 22 15:00:20 CDT 2008
On Aug 22, 2008, at 5:10 PM, Pedro Melo wrote:
> Yes, split the trust decision from the encryption part.
> Self-signed certs, CA-signed certs, and GPG keys provide the same
> thing: a way to exchange a key to use in a stream cipher to create
> an encrypted channel.
> This is something that should be standard at the XSF level: how to
> use those keys to create a encrypted channel.
> The trust requirements vary so much from person to person, from
> organization to organization, that you'll never get a one-true-way.
> Some people (like me) will use SRP most of the time, with an
> occasional full signature comparison, specially if I already have
> said signature from a trusted source (ie, I met you and you gave me
> your signature).
> Others will require full blown CA certification and they will only
> trust keys from certain CA's.
> For example, I can see myself (if my client supported it) doing
> something like this:
> * membership on group SAPO is restricted to users whose keys are
> signed by the SAPO CA;
> * group 'friends' requires at least SRP.
SAS, I meant SAS.
> The client wouldn't let me add contact to such groups without
> verifying my desired level of paranoia.
> I'm new to this list, and admit that I'm not an expert in SSL/TLS,
> and all this stuff, but high-level, "trust" is a local-policy
> thing, and as such difficult to make "standard".
XMPP ID: melo at simplicidade.org
More information about the Security