[Psi-Devel] Off-the-Record messaging for Psi
Dan Ohnesorg
Dan at ohnesorg.cz
Mon Oct 15 02:19:14 PDT 2007
Dne Mon, Oct 08, 2007 at 01:36:28PM +0100, Kevin Smith napsal:
> On 8 Oct 2007, at 13:00, Timo Engel wrote:
> > OTR uses authentication with DSA keys. You can be sure there is no
> > man-in-the-middle attack. Of course, you have to verify the
> > fingerprints of
> > the public keys. With other encryption protocols it's the same
> > problem.
>
> Is that exposed in this plugin? I've not noticed any client
> presenting keys for oob verification before (in fact, Psi is one of
> the relatively few clients that does SSL cert checking).
But it is not usable.
If You use virtual jabber hosting over SRV records, PSI validates the CNAME
from certificate against hostname before resolving SRV. It means, that You
have to request multiple domains certificate, which no one CA provides.
I think, that the CNAME should validate the hostname of physical server, it
means the name provided by SRV record.
cheers
dan
More information about the Psi-Devel
mailing list