Subj : BINKP over TLS
To   : Alexey Fayans
From : Rob Swindell
Date : Thu Dec 19 2019 03:43 pm

  Re: BINKP over TLS
  By: Alexey Fayans to Rob Swindell on Fri Dec 20 2019 01:24 am

 >  >> 2. For any kind of TLS something must be decided on certificate
 >  >> authority.
 >  RS> Nope. Self-signed certificates provide privacy via TLS just fine.
 >  RS> A CA is only needed if you're going to use TLS for trust. If you're
 >  RS> only using TLS for privacy, then a CA-signed certificate is not
 >  RS> needed.
 >
 > The whole sentence is wrong. CA is required to make sure that the
 > certificate provided by server was not replaced by an attacker during MitM
 > attack. With self-signed certificate you can never tell that you are
 > connecting to the real system, unless you know a CA pubkey used to sign that
 > self-signed certificate. That's kinda basic stuff.

True, if you're concerned about active MitM attacks (not just passive-snooping). But if you're concerned about active MitM attacks, then you don't want to use STARTTLS either.

                                            digital man

Synchronet "Real Fact" #94:
Synchronet v3.15b was released in October of 2011 (5 years after v3.14a).
Norco, CA WX: 65.0øF, 24.0% humidity, 1 mph ESE wind, 0.00 inches rain/24hrs

.