19 aug 2008 kl. 21.02 skrev Justin Karneges:
On Monday 18 August 2008 14:34:19 Eric Rescorla wrote:
I would encourage you to try to figure out what *style* of
authentication
you want and what the constraints are, and then ask what protocol
best
suits or can be made to best suit those needs.
Eric has stressed this a few times now in the thread, and I wanted
to throw in
a "me too" here.
Take a look at OTR. It is very popular, but this is most certainly
due to its
hassle-free user experience, *not* its security properties. Like
Esessions,
OTR lacks scrutiny. Yet, users enjoy OTR because they are not
bothered with
public key maintenance, and any fingerprint checking can be easily
skipped.
The protocol itself is unimportant.
Well, there's an "OTR proxy" that actually is designed to be an man-in-
the-middle
and be the endpoint, so that a server administrator can log in clear
text...
The users still feel warm and happy though.
/O ;-)
