"Perry E. Metzger" <[EMAIL PROTECTED]> writes: >TLS is just a pretty straightforward well analyzed protocol for protecting a >channel -- full stop. It can be used in a wide variety of ways, for a wide >variety of apps. It happens to allow you to use X.509 certs, but if you >really hate X.509, define an extension to use SPKI or SSH style certs. TLS >will accommodate such a thing easily. Indeed, I would encourage you to do >such a thing.
Actually there's no need to even extend TLS, there's a standard and very simple technique which is probably best-known from its use in SSH but has been in use in various other places as well: 1. The first time your server fires up, generate a self-signed cert. 2. When the user connects, have them verify the cert out-of-band via its fingerprint. Even a lower-security simple phrase or something derived from the fingerprint is better than nothing. 3. For subsequent connections, warn if the cert fingerprint has changed. That's currently being used by a number of TLS-using apps, and works at least as well as any other mechanism. At a pinch, you can even omit (2) and just warn if a key that doesn't match the one first encountered is used, that'll catch everything but an extremely consistent MITM. Using something like SSH keys isn't going to give you any magical security that X.509 certs doesn't, you'll just get something equivalent to the above mechanism. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]