Peter Saint-Andre <[email protected]> writes: > On 6/2/09 2:34 PM, Simon Josefsson wrote: >> Peter Saint-Andre <[email protected]> writes: >> >>> On 6/2/09 1:56 PM, Dave Cridland wrote: >>>> On Tue Jun 2 18:56:35 2009, Jonathan Schleifer wrote: >>>>> What if DSA gets completely broken someday? Then we're screwed. And if >>>>> we want to be algorithm-independant, we need to implement something >>>>> very similar to OpenPGP anyway. >>>> Or TLS. >>>> >>>> Which, incidentally, can use PGP keys. >>> AFAIK only GnuTLS has (experimental) support for RFC 5081 (which is >>> itself experimental): >>> >>> http://tools.ietf.org/html/rfc5081 >> >> The OpenPGP implementation in GnuTLS is not experimental. I believe the >> RFC is experimental for IETF political reasons, there is no organized >> experiment conducted as far as I know. > > Thanks for the clarification. Personally I'd love to have key-login to > XMPP servers (and HTTP servers!) so that we could move beyond passwords > for authentication. Perhaps we need to lean on the OpenSSL folks about > this, too?
It seems http://rt.openssl.org/Ticket/Display.html?id=1794 is the place to do that. ;) While I like PGP/X509 to be used, I think it is important to also support secure communication to happen based on a shared secret. While the security industry likes to believe public key solutions will solve everything, what normal people understand will continue to be "passwords". And it should be possible to build a secure communication system bootstrapped from a password. One approach is for implementations to generate the X509/PGP certs on the fly, and authenticate them using the shared secret. /Simon
