On Aug 21, 2008, at 12:19 PM, Dirk Meyer wrote:
Jonathan Dickinson wrote:
And my hard-laboured formatting got messed up.
:)
Initiator opens connection
Target gets connection and presents certificate
Initiator verifies certificate with IC -> Fail if invalid
Initiator presents certificate
Target verifies certificate -> Fail if invalid
Success
The point is, from what I can tell, TLS supports all of that.
Yes, but the question is how to verify a certificate from someone you
do not know which is not signed by a CA. Or I'm I missing something in
your argumentation?
Dirk,
I understand the problem is that a user A asserts they are some
jabberid to user B, and now B wants to establish a "secure" channel
with A.
B connects to the asserted jabberid and establishes a secure channel.
Now B wants to prove that person that its A on the other end of
this channel.
Note that B may not know or care who A is (other than they are the
person that made the assertion).
Presumedly A asserted some sort of fingerprint of their certificate at
the same time they asserted their jabberid.
In this case, it seems that all B needs to do is check that the
certificate presumedly by A in establishing the "secure" channel has
the same fingerprint.
Why would there be any need to otherwise "verify" A's certificate?
-- Kurt
Dirk
--
A bad random number generator: 1, 1, 1, 1, 1, 4.33e+67, 1, 1, 1...
