Jonathan Dickinson wrote:
-----Original Message----- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Peter Saint-Andre Sent: Wednesday, August 20, 2008 7:19 PM To: XMPP Security Subject:Re: [Security] TLS Certificates Verification...As mentioned, the estimates I received indicated that a full cryptanalysis for ESessions would cost between $100,000 and$200,000. That's not exactly chump change. Feel free to raise that money yourself, but until we have some kind of closure to these discussions, I am not about to approach *anyone* for money. And given that I have slowly come to see the logic of using TLS-over-XMPP, I am not enthusiastic about raising large sums of money for an ESessions cryptanalysis. And presumably anyone who might fork over $100k-$200k would do some due diligence, read these discussion threads and the relevant specs, and ask why we're not just using TLS-over-XMPP.I was hoping someone else would latch onto that, I didn't really wantto shoot down Jonathan's ideas.
I don't think that people hand over $100k just because they latch onto an idea. Someone needs to sell them on it. I have already sold ESessions once and it didn't go so well:
http://www.xmpp.org/xsf/proposals/trust-proposal.shtml Once bitten, twice shy.
To me ESessions is a great idea, it's just that it will potentially take a while to get cryptananlysed and so on. Maybe if we just kept it on the back burner for now and concentrated on solutions besides it.
Not a bad idea. We'll focus on the low-hanging fruit of TLS-over-XMPP for a bit and see how that goes. We can always return to ESessions if that doesn't work out.
This thread kinda reminds me of the good ol' days when I suggested binary XML ;).
Yum, broccoli ice cream! :)
Maybe if everyone threw their suggestions into the thread right now (mentioned or not) so that we can all look at the options in front of us?
I think it's most productive to look at the various authentication models, as ekr suggested, rather than pushing for a particular technology.
/psa
smime.p7s
Description: S/MIME Cryptographic Signature
