[Security] XEP-0166, XEP-0167, XTLS - crypto and other stories.
stpeter at stpeter.im
Thu Dec 18 16:33:17 CST 2008
These are very good questions. I'll do some thinking about possible answers.
Dave Cridland wrote:
> I've been trying to follow, and catch up on, a couple of threads
> recently both on standards@ and jingle@, which appear to both be
> concerned with the interaction of Jingle and cryptography (both
> encryption, authentication, and others).
> It seems to me from a thread on jingle@ that XEP-0167 (That's Jingle
> RTP) is moving toward specifying crypto in the terms used by SDP, which
> seems appropriate at first glance, however what concerns me is that
> there's a different thread over on standards@ which relates to a more
> generic crypto-Jingle confluence, moving what's now XEP-0250 to be
> available within the Jingle (XEP-0166) negotiation, and neither thread
> appears to have appeared on security@, which is our list for discussing
> security issues.
> I'd like to encourage some kind of cross-talk here, since it looks to me
> like Dirk Meyer and I are thinking that having "generic security" in
> Jingle (based primarily around TLS on reliable streams) might be useful,
> whereas the VOIP crowd hanging out on jingle@ are focused on [S]RTP.
> I think this cross-talk ought to happen on security@, since we've
> various people there who know much more than I do about TLS, DTLS, and
> SRTP, and the relationship between them, but aren't on either jingle@ or
> standards@ (as far as I know).
> I'd like to get this at least started ASAP, so we don't end up with
> diverging Jingle security layers.
> So, join security@ if you're interested, and I'd like to ask Dirk Meyer
> to summarize what's been discussed about Jingle file transfer and Jingle
> xmlstream security, and if someone else could volunteer to summarize the
> SRTP discussion that happened on jingle@, that's be great.
> Or tell me they're not related, and explain why not (with diagrams and
> pretty pictures). ;-)
More information about the Security