[OTR-dev] Re: [Gaim-devel] gaim-OTR, AIM DirectIM, and messaging signals
Ethan Blanton
eblanton at cs.ohiou.edu
Mon Feb 20 22:35:29 EST 2006
Ian Goldberg spake unto us the following wisdom:
> > Users of this mechanism need an
> > SSL cert... savvy users can generate their own and self-sign them or
> > pay to have them signed, and AOL offers verisign-signed certificates
> > for a key. I have no idea what the registration / verification
> > mechanism is for the latter process.
>
> So there's no binding whatsoever between the cert and the screen name?
> In what sense is it a cert, then?
Ideally the provided-by-AOL certifications would certify something
about the identity of the owner; given their staunch position on not
identifying the owners of screen names, this may not be the case.
> And the wiki page would seem to suggest that self-signed certs work just
> fine. So why would aimencrypt.com offer a constant cert to everyone
> when they could just offer a little widget to generate a fresh
> self-signed one?
Not that this would provide a whole lot more (effective) security ...
because they could just keep and distribute copies of the private
keys. ;-)
Ethan
--
The laws that forbid the carrying of arms are laws [that have no remedy
for evils]. They disarm only those who are neither inclined nor
determined to commit crimes.
-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20060220/9527e4fe/attachment.pgp>
More information about the OTR-dev
mailing list