Peter Saint-Andre wrote: >> Using an existing CA you have to pay a lot of money; users >> don't like that :) And setting up your own CA is not that simple, > > https://www.xmpp.net/ :)
If I'm paranoid why should I trust the same CA that verified the server I use? Maybe they are both controlled by the same person. >> creating self-signed certificates on the other hand is an openssl >> one-liner. > > Right. We've also looked into short authentication strings (SAS) for use > in XTLS. But that would be farther out. IMHO we have several use cases here: 1. User to user communication: they can talk. Maybe they exchange a shared secret somehow and can use that to verify the fingerprint. No CA needed. 2. My service based idea. In that case bots "talk" to each other a. Both peers belong to the same user. One other entity added them to the network. b. They belong to different user. The users trust each other c. The service belongs to a company. E.g. you access flickr with XMPP in the future. The Flickr service entity has a valid certificate but the user has not. Well, I think HOW to verify a certificate belongs to an extra document. Dirk -- Stress is when You wake up screaming and then realize You haven't slept at all