[jdev] manifesto & DANE does not cut it
Ralf Skyper Kaiser
skyper at thc.org
Tue Nov 19 16:21:03 UTC 2013
On Tue, Nov 19, 2013 at 2:12 PM, Ashley Ward <ashley.ward at surevine.com>wrote:
> On 19 Nov 2013, at 12:30, Ralf Skyper Kaiser <skyper at thc.org> wrote:
> > Pinning does not require any protocol change in its simplest form. It
> can be done with just minor changes on the client side.
>
> Agreed - in its simplest form you could use it on the c2s connection to
> ensure the server’s certificate hasn’t unexpectedly changed and there’s
> nothing to stop xmpp clients implementing it.
It would be nice to have this as an optional item in the manifesto (either
Pinning-light or full pinning) so that it is on the roadmap.
> But this is only a small part of it. XMPP is federated, so how does a user
> ensure that the ongoing s2s connection isn’t compromised?
I agree. But just because we do not have a solution for every security
problems shall we not stop developing a solution for any security problem.
[...]
I think we also need to be careful not to downplay DNSSEC and DANE too.
> They are infinitely better than most of what’s happening today, so saying
> things like "DANE does not cut it” could be disingenuous and may deter
> people from implementing anything because it’s not “perfect”.
>
I agree. DANE is an important step into the right direction.
regards.
ralf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.jabber.org/jdev/attachments/20131119/03efe430/attachment.html>
More information about the JDev
mailing list