[Standards-JIG] RE: Standards-JIG] MUC Invitations, Jingle Relays, and Big Problems

Dave Cridland dave at cridland.net
Wed Nov 8 21:37:06 UTC 2006


On Wed Nov  8 17:59:10 2006, Philipp Hancke wrote:
> If my server connects to 'montague' and the remote side shows a
> certificate for 'capulet', this is a problem. If my server
> continues connecting, this is defeating any security that TLS
> may yield. Yet this is something that seems to be done quite
> often...

No, that's merely ignoring a considerable degree of the 
authentication that TLS may offer.

But privacy (and compression) will be unaffected by this, and that's 
an important part of security too. Given that you might be able to 
use dialback, etc, that's quite possibly good enough, especially if 
your server caches certificate fingerprints and gets paranoid when 
they change.

That's not to say that Peter's work in trying to get XMPP-aware 
certificates out there isn't a good move, and will help security, 
it's just that lack of a proper TLS certificate (or, indeed, lack of 
any certificate) does not equate to no security.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list