[Security] S2S Leap of faith w/ SASL EXTERNAL

Jesus Cea jcea at jcea.es
Wed Nov 17 20:48:59 CST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/11/10 02:52, Kim Alvefur wrote:
> The thing I wanted to get at was to make it simpler for smaller
> deployments, like some friends personal servers, to establish some
> measurement of trust between themselves, without all the bureaucracy
> that CA's brings.

Too bad DNSSEC is being deployed almost as slowly as IPv6.

I do care about MITM attacks. But when you don't have any other choice...

I was thinking about DNSSEC and storing X.509 fingerprints in the DNS...
That could destroy the need of a X.509 CA hierachy.

You can actually do it now, with no DNSSEC, if you accept DNS is safe
(current situation with dialbacks).

Store the certificate fingerprint in a DNS record.

- -- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
.                              _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQCVAwUBTOSUGplgi5GaxT1NAQKISQP/U9EIlcp0ZyVH5qfzPpesTI/OgDagXQOi
usSmClFrAdwhFyMqYxuYNhHOcTqMawZ1F97amZl8T+q7uFXbTn87iVVCPFcy3X/e
rFlbeclb6fYBAxFzTPgsE0Ln5exWZwC1C3TAJ0ILby63gFBahHs4/B6+RHpruVtX
020YUxiMxGE=
=JZEt
-----END PGP SIGNATURE-----


More information about the Security mailing list