[Security] channel bindings

Dirk Meyer dmeyer at tzi.de
Thu Feb 19 13:30:56 CST 2009


Peter Saint-Andre wrote:
> Dirk Meyer wrote:
>> Peter Saint-Andre wrote:
>>> Dirk Meyer wrote:
>>>> I think even when using the phone, we would agree on a password. It is
>>>> not very userfriendly to compare X.509 fingerprints.
>>> Agreed. So I suppose the question is, when and how is the password
>>> shared? Is that done via TLS-SRP or somehow after the TLS exchange via SASL?
>> 
>> Right. http://xmpp.org/extensions/inbox/jingle-xtls.html#password is the
>> question here. It would be nice to know what ssl libs can do SRP or
>> provide the finish message for channel bindings. openssl and gnutls
>> do. What about .dot stuff? J2ME?
>
> Well, SRP doesn't help for automated entities such as set-top boxes. I
> don't think we want a solution that is too human-centric, because lots
> of projects are using XMPP for communication among machines, devices,
> and so on.

You can be sure I have that in mind :)

There isn't much of a difference between the three solutions in terms of
usability. SRP works fine for set-top boxes, as do channel bindings. All
require a password. A set-top box could use a remote control to enter
the password or a dumb box could have a fixed password.


Dirk

-- 
Black holes suck.


More information about the Security mailing list