[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Wed Aug 20 09:15:32 CDT 2008


Am 19.08.2008 um 23:37 schrieb Peter Saint-Andre:

> It's not hacky, it's a clever hack:
>
> 1. Negotiate a reliable transport (could be a direct TCP connection,  
> could be in-band bytestreams over XMPP, whatever).
>
> 2. Start an XML stream.
>
> 3. Upgrade the stream to encrypted using STARTTLS.
>
> You'll notice that this is exactly what we already do for XMPP as  
> defined in RFC 3920. It's just that for end-to-end streams the  
> transport might not be a direct TCP connection as in RFC 3920.

This is hacky as soon as we use it in-band, as that means we need to  
escape it somehow, and that'll most likely be Base64.

--
Jonathan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/b2e6f584/attachment.pgp 


More information about the Security mailing list