[18278] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Thu Aug 25 22:12:21 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Ian G <iang@systemics.com>
Cc: "Trei, Peter" <ptrei@rsasecurity.com>,
Peter Saint-Andre <stpeter@jabber.org>, cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 25 Aug 2005 14:09:48 -0700
In-Reply-To: <430E2F62.802@systemics.com> (Ian G.'s message of "Thu, 25 Aug
2005 21:51:46 +0100")
Ian G <iang@systemics.com> writes:
> Trei, Peter wrote:
>
>> Self-signed certs are only useful for showing that a given
>> set of messages are from the same source - they don't provide
>> any trustworthy information as to the binding of that source
>> to anything.
>
> Perfectly acceptable over chat, no? That is,
> who else would you ask to confirm that your
> chatting to your buddy?
Most chat protocols (and Jabber in particular) are server-oriented
protocols. So, the SSL certificate in question isn't that of your
buddy but rather of your Jabber server.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
