[Security] channel bindings

Dirk Meyer dmeyer at tzi.de
Wed Feb 18 14:52:12 CST 2009


Peter Saint-Andre wrote:
> Dirk Meyer wrote:
>> I think even when using the phone, we would agree on a password. It is
>> not very userfriendly to compare X.509 fingerprints.
>
> Agreed. So I suppose the question is, when and how is the password
> shared? Is that done via TLS-SRP or somehow after the TLS exchange via SASL?

Right. http://xmpp.org/extensions/inbox/jingle-xtls.html#password is the
question here. It would be nice to know what ssl libs can do SRP or
provide the finish message for channel bindings. openssl and gnutls
do. What about .dot stuff? J2ME?


Dirk

-- 
I try to write idiot proof code, but they keep making better idiots.


More information about the Security mailing list