[jdev] manifesto & DANE does not cut it
Ashley Ward
ashley.ward at surevine.com
Tue Nov 19 12:26:07 UTC 2013
On 19 Nov 2013, at 11:58, Ralf Skyper Kaiser <skyper at thc.org> wrote:
> This attack and vulnerability in the TLS authentication has been recognized by all major browser manufactures. Pinning (on top of DNSSEC) is being implemented as we speak. Why jabber tries so hard of being less secure than the web browser is a mystery to me.
I guess one of the issues is that XMPP, being federated, is far more complicated than the straightforward client-server of the web. I’m far from an expert on these things but some kind of certificate pinning would require some extra xmpp protocol would it not? Plain DNSSEC and DANE could be implemented today though so my view would be let’s make sure we’re using the best we can do today in imlement the silver standard, and then have a really good discussion about how to implement the gold standard (potentially certificate pinning, but even this has drawbacks).
For users that absolutely require secrecy then they can still use e2e encryption today.
Let’s implement what we already have standards for today as a good start, and then, once that’s implemented, we can look at the gold standard. Otherwise we risk delaying for no really good reason.
—
Ash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4154 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20131119/81cf0465/attachment.bin>
More information about the JDev
mailing list