On Tue, Nov 19, 2013 at 2:12 PM, Ashley Ward <[email protected]>wrote:
> On 19 Nov 2013, at 12:30, Ralf Skyper Kaiser <[email protected]> wrote: > > Pinning does not require any protocol change in its simplest form. It > can be done with just minor changes on the client side. > > Agreed - in its simplest form you could use it on the c2s connection to > ensure the server’s certificate hasn’t unexpectedly changed and there’s > nothing to stop xmpp clients implementing it. It would be nice to have this as an optional item in the manifesto (either Pinning-light or full pinning) so that it is on the roadmap. > But this is only a small part of it. XMPP is federated, so how does a user > ensure that the ongoing s2s connection isn’t compromised? I agree. But just because we do not have a solution for every security problems shall we not stop developing a solution for any security problem. [...] I think we also need to be careful not to downplay DNSSEC and DANE too. > They are infinitely better than most of what’s happening today, so saying > things like "DANE does not cut it” could be disingenuous and may deter > people from implementing anything because it’s not “perfect”. > I agree. DANE is an important step into the right direction. regards. ralf
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
