[Security] TLS Certificates Verification

Brendan Taylor whateley at gmail.com
Tue Aug 19 19:24:15 CDT 2008


On Tue, Aug 19, 2008 at 05:13:10AM -0700, Eric Rescorla wrote:
> - Support for RSA

You can use an RSA or DSA public key for authentication.

> - Any form of session resumption

Not sure what you mean by this, but it may be covered by the Shared
Retained Secret.

> - An extensions framework

I'm not sure what kind of extensions you're thinking of, but I would
hope that XMPP and XEP-0155 session negotiation would already provide
most of the extensibility you'd want.

> Oh, yeah, is there some writeup of how the stanzas are actually protected once
> you've established the keys? I see how you negotiate the *encryption* algorithm
> but not the integrity algorithm and I don't see how you use either to protect
> the actual traffic. Maybe I'm just reading the wrong document.

That's in XEP-0200.

>                 But if you want to provide a solution that users will
> actually find tolerable, it seems to me that it would be good to actually
> assess what functionality you want the system to provide and *then*
> ask how it can best be provided, rather than starting with a given
> protocol and say "prove to me it's not good enough".

I think that's what XEP-0188 was written for (which ESessions was
specifically designed to satisfy). 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/35ae3ac5/attachment.pgp 


More information about the Security mailing list