[Security] TLS Certificates Verification

Peter Saint-Andre stpeter at stpeter.im
Tue Aug 19 16:28:06 CDT 2008


Dave Cridland wrote:
> On Tue Aug 19 19:03:06 2008, Eric Rescorla wrote:
>> What Dave is suggesting, I think, would be a garden variety TLS 
>> handshake with
>> whatever ciphersuites you already support and self-signed certs. Then 
>> you'd run
>> SASL with some challenge/response protocol and channel bindings (you'd
>> almost certainly want mutual auth here) and then on the basis of the C/R
>> note that you trusted the peer's self-signed cert
> 
> Right.
> 
> The interesting thing being that - assuming the shared secret mechanism 
> is something like SCRAM - this could be the same mechanism we use to 
> authenticate normally with the server - so there's really virtually no 
> new code involved, potentially, and it makes the general operation even 
> closer to "normal" XMPP channel setup.

Is this the best documentation of SCRAM?

http://tools.ietf.org/html/draft-newman-auth-scram-06

I doubt that will be done by the time we're ready to finish rfc3920bis, 
but you never know (we also have a dependency on IDNA and that story is 
far from over).

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/e872ceb7/attachment.bin 


More information about the Security mailing list