[Security] About the Firefox 3 Security Dialog & others
js-xmpp-security at webkeks.org
Sat Aug 23 07:18:28 CDT 2008
Am 23.08.2008 um 11:04 schrieb Dirk Meyer:
> SAS does not work for me when I use bots. It also reduces it to one
> way removing the option of X.509 certificates which is something I
I never said SAS should be the only way, we need multiple ways. I
* SAS with mnemonics
* Fingerprint verification
* CA, but no CA added in the client by default (so the user has to
trust the CA manually, for example useful in a company so you don't
have to verify every co-worker)
>> Having a 32-bit SAS encoded with Mnemonics (like already suggested
>> here) really sounds like a great idea.
> Why not encode a key fingerprint with Mnemonics? Looks like the same
> to the user.
Only taking 32 bit of the fingerprint and using Mnemonics is insecure
as this is easy to forge - we already discussed it here.
BTW: It was argued a lot that ESessions misses a cryptanalysis, but if
we are going to do extensions to TLS, we might need a cryptanalysis
for this stuff too. TLS is useless if we add a verification method
that is insecure.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: This is a digitally signed message part
Url : http://mail.jabber.org/pipermail/security/attachments/20080823/71706d00/attachment.pgp
More information about the Security