[messaging] Are we pursuing real solutions for security?

Tony Arcieri bascule at gmail.com
Tue Mar 11 13:15:01 PDT 2014


On Tue, Mar 11, 2014 at 10:33 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net
> wrote:

> This use case still a real security issue, and i haven't heard a
>  plausible answer yet about how SAS can be used to verify a web server's
> key without introducing a number of troubling vulnerabilities.


To flip the question around: are key fingerprints / TOFU a good way to
verify a server's identity? I personally don't think so

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140311/c2a85719/attachment.html>


More information about the Messaging mailing list