[Security] channel bindings

Peter Saint-Andre stpeter at stpeter.im
Wed Feb 18 14:37:21 CST 2009


Dirk Meyer wrote:
> Peter Saint-Andre wrote:
>> Dirk Meyer wrote:
>>> Justin Karneges wrote:
>>>> On Tuesday 10 February 2009 14:52:05 Kurt Zeilenga wrote:
>>>>> While the DIGEST-MD5 provides for a (limited) form of mutual
>>>>> authentication, DIGEST-MD5 offers no assurance to either the client or
>>>>> the party that the end points of the DIGEST-MD5 exchange are the same
>>>>> as the end-points of the TLS exchange.
>>>> You mean if you don't verify the TLS certificate?
>>> We do, channel bindings is a fallback. If we communicate and have both
>>> self-signed certificates, we can not verify each other. 
>> Well, presumably we can verify each other if we use some other channel
>> to communicate information about the certificates (meeting IRL is best,
>> talking over the phone, encrypted email, etc.). At least then the
>> attacker would need to compromise two different channels.
> 
> I think even when using the phone, we would agree on a password. It is
> not very userfriendly to compare X.509 fingerprints.

Agreed. So I suppose the question is, when and how is the password
shared? Is that done via TLS-SRP or somehow after the TLS exchange via SASL?

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20090218/34cabb7e/attachment.bin 


More information about the Security mailing list