Dirk Meyer wrote:
Jonathan Schleifer wrote:Am 19.08.2008 um 04:37 schrieb Peter Saint-Andre:I think that obtaining a client certificate from the XMPP ICA would be simpler than obtaining a server certificate. The process for obtaining a server certificate is explained at https://www.xmpp.net/ (I'm offline right now and I don't remember the exact URL) -- it involves requesting a website account at xmpp.net, website admin approval based on access to one of the official email addresses or one of the email addresses in the whois record, then logging into the xmpp.net website to visit a "jump page" from which you can finally access the CA site, etc. By contrast, I think that to obtain a client certificate your client would act on your behalf to interact in-band with an XMPP service at xmpp.net or maybe xmpp.startcom.org, with little or no involvement by the user except to click a big "please generate a security certificate for me" button and probably visit a special URL provided in a message (which message would probably be an x:data form that is specially handled by the client, not a standard message with a human-readable body).Sorry, but not average user will do that, ever. Even most geeks won't do that due to lazyness.If it is a simple "click" than user will use it, but it has no value. I can create an account and name myself "Peter Saint-Andre". After that I click on "create signature" and get a signature for that. That is useless. A signature means: it is that person. So a certification process has to be more complex and I agree with Jonathan here: no average user will do that. It is much easier to get verified by people you know than from a CA. So IMHO the CA idea is nice but not usable.
This would be a Class 1, XMPP-only cert. Class 1 certs don't have a personal name in them (you need to upgrade to Class 2 for that and provide two GIPIDs and all that), all they say is "this cert goes with this JID".
/psa
smime.p7s
Description: S/MIME Cryptographic Signature
