> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Peter Saint-Andre > Sent: Wednesday, August 20, 2008 6:32 AM > To: XMPP Security > Subject: Re: [Security] TLS Certificates Verification > > ... > > > > It is out-of-band. Hopefully more secure. Maybe SMSing or Emailing > > the OTP could work just as well. > > I think it's a good idea to use different transports, but I question > whether SMS or email is more secure than XMPP. I'd prefer the > combination of XMPP and secure HTTP.
Although SMS is less secure, unencrypted, etc. it does allow us to prove possession. The perpetrator can hardly hack the poor guy if he doesn't have his cell phone. To make the transaction completely safe we would need implied identity, knowledge and possession (if I remember correctly). Maybe a secret question would be a good idea. > > /psa
