Dirk Meyer <[EMAIL PROTECTED]> wrote: > No, it is missing the one thing we also need for TLS: how to verify a > public key? Let's say I have two bots. They discover each other and > open an ESession. Bots can not use secrets (I do not want to configure > a secret for each possible bot-bot combination). So we have public > keys. Now I have the same problem I have with TLS: is this the correct > public key. Maybe I (as user) signed the bot keys (in a user friedly > way like click "add as my bot"). How to verify the signature? I want > to avoid setting up a CA. I need an answer to that question or > ESession are as useless as TLS.
As bots are not people who might be afraid to verify a key or get a certificate, they could use a certificate issued by a CA. :) We have to differentiate between bot communication and human communication. What is acceptable for human communication maybe isn't for bot communication, what is acceptable for bot communication maybe isn't acceptable for human communication. Thus, it's a good thing ESessions offer both. -- Jonathan
signature.asc
Description: PGP signature
