[Security] channel bindings

Peter Saint-Andre stpeter at stpeter.im
Thu Feb 19 13:23:47 CST 2009

Dirk Meyer wrote:
> Peter Saint-Andre wrote:
>> Dirk Meyer wrote:
>>> I think even when using the phone, we would agree on a password. It is
>>> not very userfriendly to compare X.509 fingerprints.
>> Agreed. So I suppose the question is, when and how is the password
>> shared? Is that done via TLS-SRP or somehow after the TLS exchange via SASL?
> Right. http://xmpp.org/extensions/inbox/jingle-xtls.html#password is the
> question here. It would be nice to know what ssl libs can do SRP or
> provide the finish message for channel bindings. openssl and gnutls
> do. What about .dot stuff? J2ME?

Well, SRP doesn't help for automated entities such as set-top boxes. I
don't think we want a solution that is too human-centric, because lots
of projects are using XMPP for communication among machines, devices,
and so on.


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20090219/3336564d/attachment.bin 

More information about the Security mailing list