[Security] [Fwd: [Standards] Proposed XMPP Extension: XMPP Transport Layer Security]

Peter Saint-Andre stpeter at stpeter.im
Wed Feb 18 13:11:32 CST 2009


Dirk Meyer wrote:
> Peter Saint-Andre wrote:
>> FYI, our latest attempt based on discussions in Brussels...
> [...]
>> URL: http://www.xmpp.org/extensions/inbox/jingle-xtls.html
> 
> I would like to hear some comments on section 4. Both from people who
> want to implement it (what does your TLS lib provide?) and from security
> experts (what do you think of 4.3?).

Some general comments:

1. I like the idea of the security-info message as a check to make sure
that the responder has received and understood the <security/> element.

2. Let's make it clear that the TLS handshake takes place as usual
(i.e., these are "raw" TLS packets not encapsulated in XML).

3. When does a user (if any) approve of proceeding with the session? I
assume this happens before the session-accept is sent, because the
user's client might expose IP addresses during transport setup.

I'm still working to wrap my head around the SRP/PSK/SCRAM/other stuff,
but in general I'd prefer to use a standardized mechanism than to roll
our own (cf. esessions....).

/psa





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20090218/333578b0/attachment-0001.bin 


More information about the Security mailing list