No subject


Sat Jul 10 15:26:43 CDT 2010


the keys needed for end-to-end encryption via TLS.<br><br>1. Send keys over=
 XMPP<br>If the user agent is required to only use e2e (and thus communicat=
e keys) when c2s is secure then the following requirement isn&#39;t needed.=
 (Recommended)<br>

keys are sent each time when a e2e TLS connection will be taken place, and =
no caching to take place, because there is a possibly for the keys to be tr=
ansferred over an insecure channel and cached for use where there is a secu=
re one. Impact and attack made in the past, can still take place after the =
client has switched to a secure connection.<br>

<br>*Easy<br>*Automatic (great)<br>*secure if you trust c2s<br>*requires c2=
s<br><br>2. Allow the user to validate the certificate<br>*Hard, confusing =
to some users.<br>*Requires out of band communication<br>*user interaction =
is required<br>

*increased security, doesn&#39;t rely on a 3rd party server, imagine e2e ch=
at as well.<br>*Will work if the server goes down<br><br>I propose a mixtur=
e of both options:<br><br>Ask the user if they want to manually authenticat=
e, by what ever method, fingerprints, socialist millionaire protocol etc. t=
he more the merrier.<br>

And provide an easy and make this choice the default, an automatic verifica=
tion through the server.<br><br>This allows the user increased control over=
 the validation process if they want it<br>But also lets users do things th=
e easy way, and still be secure.<br>


--000e0cd2e0542a10ed048b3f6efb--


More information about the Security mailing list