On 19 Nov 2013, at 11:58, Ralf Skyper Kaiser <sky...@thc.org> wrote: > This attack and vulnerability in the TLS authentication has been recognized > by all major browser manufactures. Pinning (on top of DNSSEC) is being > implemented as we speak. Why jabber tries so hard of being less secure than > the web browser is a mystery to me.
I guess one of the issues is that XMPP, being federated, is far more complicated than the straightforward client-server of the web. I’m far from an expert on these things but some kind of certificate pinning would require some extra xmpp protocol would it not? Plain DNSSEC and DANE could be implemented today though so my view would be let’s make sure we’re using the best we can do today in imlement the silver standard, and then have a really good discussion about how to implement the gold standard (potentially certificate pinning, but even this has drawbacks). For users that absolutely require secrecy then they can still use e2e encryption today. Let’s implement what we already have standards for today as a good start, and then, once that’s implemented, we can look at the gold standard. Otherwise we risk delaying for no really good reason. — Ash
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
