[Security] About the Firefox 3 Security Dialog & others

Pedro Melo melo at simplicidade.org
Fri Aug 22 15:00:20 CDT 2008


On Aug 22, 2008, at 5:10 PM, Pedro Melo wrote:
> Yes, split the trust decision from the encryption part.
> Self-signed certs, CA-signed certs, and GPG keys provide the same  
> thing: a way to exchange a key to use in a stream cipher to create  
> an encrypted channel.
> This is something that should be standard at the XSF level: how to  
> use those keys to create a encrypted channel.
> The trust requirements vary so much from person to person, from  
> organization to organization, that you'll never get a one-true-way.
> Some people (like me) will use SRP most of the time, with an  
> occasional full signature comparison, specially if I already have  
> said signature from a trusted source (ie, I met you and you gave me  
> your signature).
> Others will require full blown CA certification and they will only  
> trust keys from certain CA's.
> For example, I can see myself (if my client supported it) doing  
> something like this:
>  * membership on group SAPO is restricted to users whose keys are  
> signed by the SAPO CA;
>  * group 'friends' requires at least SRP.

SAS, I meant SAS.

> The client wouldn't let me add contact to such groups without  
> verifying my desired level of paranoia.
> I'm new to this list, and admit that I'm not an expert in SSL/TLS,  
> and all this stuff, but high-level, "trust" is a local-policy  
> thing, and as such difficult to make "standard".

Best regards,
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org

More information about the Security mailing list