[Security] TLS Certificates Verification
Peter Saint-Andre
stpeter at stpeter.im
Tue Aug 19 16:28:06 CDT 2008
Dave Cridland wrote:
> On Tue Aug 19 19:03:06 2008, Eric Rescorla wrote:
>> What Dave is suggesting, I think, would be a garden variety TLS
>> handshake with
>> whatever ciphersuites you already support and self-signed certs. Then
>> you'd run
>> SASL with some challenge/response protocol and channel bindings (you'd
>> almost certainly want mutual auth here) and then on the basis of the C/R
>> note that you trusted the peer's self-signed cert
>
> Right.
>
> The interesting thing being that - assuming the shared secret mechanism
> is something like SCRAM - this could be the same mechanism we use to
> authenticate normally with the server - so there's really virtually no
> new code involved, potentially, and it makes the general operation even
> closer to "normal" XMPP channel setup.
Is this the best documentation of SCRAM?
http://tools.ietf.org/html/draft-newman-auth-scram-06
I doubt that will be done by the time we're ready to finish rfc3920bis,
but you never know (we also have a dependency on IDNA and that story is
far from over).
/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/e872ceb7/attachment.bin
More information about the Security
mailing list