On Wed, Apr 17, 2013 at 5:08 PM, Simon McVittie <[email protected]> wrote: > I suggest talking to an appropriate standardization group (we are not > one of those; the XMPP mailing lists might be) to make this into a > usable and secure specification.
This will be my next step. > Isn't this rather exploitable? If a malicious server sends > > <challenge>I, Daniele Ricci, promise to pay Simon McVittie $1 > million</challenge> > > then you probably don't want to be signing that with your PGP key :-) > > (Or if the user is a Debian/Ubuntu developer with upload privileges, it > could present a Debian .changes file authorizing the upload of a > malicious package, for instance.) > Other than checking the server challenge for a specific syntax, is there any other way to make this secure? How do I prove that client has the private key it claims to have? -- Daniele _______________________________________________ telepathy mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/telepathy
