-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/22/13 7:07 AM, Ralph J.Mayer wrote: >> its CA chain are sane, and (2) verifying that my server handles >> real-world remote certs proprly. Oh, and (3) if I need to relax >> the verification settings so that it doesn't drop traffic due to >> "bad" certs. > > This is the really annoying part. You have to choose between > accepting crappy certs or net getting any connection. > > Plus, if you want things like pfs, it also depends on the right > version of all the software involved ... > > Dane is nice, but the complexity is huge. And don't get me started > on key/cert rollovers. > > > All this pain, and we're still talking about the transport layer. > The user has no controll over this layer. He needs to trust that > everything was configured the right way. Without otr/pgp, the user > is still at risk of disclosed cleartext meassages.
I don't disagree at all -- convincing the developers of your favorite IM client to support OTR (in all likelihood) is also important. But, this is the operators@xmpp.org list and I think that operators of XMPP service also need to clean up their act with regard to security. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSFiWhAAoJEOoGpJErxa2pV5cP/2IAz4L+07TwUJIJdX3fRzpq 9B1tBBfqG2b6elVMdozJcdSQxXvG1oJDnTHj3+5GJalQbTkFVe+f3+Ud846olcQM +Z2gzyn0GYCoVru19HMsJ4jl4gTD2Tlwq4mMiUoRsebbnJmqfNqZVm9NCbRUFz5m LSyatBNIvqE9EO+/w1xckOVrC8/2Zz16GjY3L4S0e8Qb4HkqsDj2Nw8yUCXAgIng 7DhrajrSQ5cNGUs0wOiIc8MZUQipDEAWICSP+3Mjmsy9iILltJDzTo19TmQrnX3l vRkZAiVXX7dTGQadkdYttECyVsHxRiRRz4HJocO97N/Sknd4cIRAodJOqXz2GJPN DtAKx1hd8HNAFpXxjyUsC3SRhIjGh0VeeEl2mHh6Z/G6BmpduonMA246GvNSYrwk kY7OSysi0DZ9m/a/f/3eYwb5n37EKiNOruxLhg9Rp1RnkzDZ9vhR7n0X2Qq8GuYD Mey7eRqbTHTbuVDgpphkd8vCTixznyleYWswoa1zAfVJSE4AykewOtIhCOZwt8Aj dOebY9gO/SLZ553BEStpPWPEIxRdPLrTbnJXWI9/dEvrcs7vF5UvzduBJ4E7vkj5 ncDZ7X2BTpJKAi0i5oJkbtr1Q7OpptQU6bqHiR4flMOzR2aZ3AEokfUxyzZmePiO jBfDGV3G65u01tcTf2xW =0n54 -----END PGP SIGNATURE-----
