[Security] TLS Certificates Verification

Jonathan Dickinson jonathanD at k2.com
Tue Aug 19 12:57:28 CDT 2008


Maybe something based on Diffie Hellman (which RSP uses)?

-----Original Message-----
From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On Behalf Of Dave Cridland
Sent: Tuesday, August 19, 2008 7:48 PM
To: XMPP Security
Subject: Re: [Security] TLS Certificates Verification

On Tue Aug 19 18:33:53 2008, Eric Rescorla wrote:
> Actually, this is a lot more complicated than it has to be. TLS has
> two
> features that make this trivial to do and that don't rely on
> certificates
>
> 1. A PAKE mode (SRP)[0]

I see how this works, but you're asking for quite a bit of less than
usual TLS magic involved.

Could we use a simple, channel-binding, shared-secret based SASL
mechanism?

I've the thought in my head that we could make this essentially the
same as Bluetooth keying, using the channel binding to "learn" the
certificates.

That ought to be using essentially out-of-the-box bits of software,
whereas I'm not so sure that SRP quite ranks there yet, and may well
not for a long while.

Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Security mailing list