Am 18.08.2008 um 13:39 schrieb Dirk Meyer:
Yes, that is solution 1 for this problem. Each user can get a certificate signed by the XMPP CA. But is that practical. I have not tried to get a signature for my XMPP server yet, but how hard is it? Every person who can use an IM client and register for an account should be able to get a signed certificate. IMHO usability is the main problem we have to keep in mind when trying to solve this.
It's impossible for the average user to get a certificate. Only geeks will use encryption then. I still think we should pay the money needed for a cryptanalysis for ESessions and use that - that's crypto even my grandmother can use! All that hacky TLS for end-to-end stuff is more than userunfriendly.
Yes, a key-pair and self-sign to make any TLS library happy. After that we can create a web of trust outside the ssl library. I don't know if this will work, but it could.
Signing keys is nothing the average user will do. Never. Do we want crypto for everyone or do we want crypto for geeks only?I thought Jabber should be secure by default, this means we need something WITHOUT certificates checking or signing. We need something like a SAS etc.
Again: ESessions already provides this. -- Jonathan
PGP.sig
Description: This is a digitally signed message part
