On 2008-09-29, 23:25 GMT, Mark Doliner wrote: > We had some discussion about this two months ago and came to > the conclusion that Pidgin should verify against the connect > server or the domain name, but NOT the srv record. The > reasoning for not verifying the certificate against the srv > record is that DNS can be poisoned, and so the security > provided by the certificate is weakened.
I don't take on any stands of the barricade (I think, that dns name of the real Jabber server should be used, because that's what certificate was published for, but I don't want to get involved into the flamewar), however just let me note, that this is a lame argument if I have ever heard one -- solution of broken DNS servers is to fix them (or actually to apply avaialable fixes), but quite certain each Internet-related program should not engineer around a possibility of poisoned DNS database. That's just lame, IMHO. Matěj _______________________________________________ Support mailing list Support@pidgin.im http://pidgin.im/cgi-bin/mailman/listinfo/support
