[Security] PGP (XEP-0027)

Peter Saint-Andre stpeter at stpeter.im
Mon Aug 3 09:39:54 CDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/3/09 7:42 AM, Dirk Meyer wrote:
> Peter Saint-Andre wrote:
>> On 6/3/09 4:35 AM, Simon Josefsson wrote:
>>> Time to restart this document, perhaps?
>>>
>>> http://www.melnikov.ca/mel/Drafts/draft-burdis-cat-srp-sasl-07.txt
>>>
>>> I would replace the security layer with a channel binding to TLS,
>>> though.
>> Interesting. It's 7 years old, but might be worth restarting.
> 
> It looks like the cyrus-sasl library already has support for it. If we
> throw in some channel binding ideas (e.g. merge the certificate
> fingerprints into the password) we could use SASL to verify the TLS
> end-to-end characteristic.

At the XMPP WG meeting in Stockholm, Chris Newman said he thinks that
most people would use leap of faith to bootstrap trust and that this is
a good example of "better than nothing security" (cf. the BTNS WG).
However, it's good to have something stronger for those who want it,
either SRP or SASL with channel bindings (or checking the fingerprints
using some other secure channel such as encrypted email).

Peter

- --
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkp29roACgkQNL8k5A2w/vxM8wCg5g9rzy8ir6//kiThLU5O76SZ
5AcAoJ4jN4FSr7XTrCZeHDhOpVjav/wu
=Ex3A
-----END PGP SIGNATURE-----


More information about the Security mailing list