[Security] channel bindings
dmeyer at tzi.de
Thu Feb 19 13:30:56 CST 2009
Peter Saint-Andre wrote:
> Dirk Meyer wrote:
>> Peter Saint-Andre wrote:
>>> Dirk Meyer wrote:
>>>> I think even when using the phone, we would agree on a password. It is
>>>> not very userfriendly to compare X.509 fingerprints.
>>> Agreed. So I suppose the question is, when and how is the password
>>> shared? Is that done via TLS-SRP or somehow after the TLS exchange via SASL?
>> Right. http://xmpp.org/extensions/inbox/jingle-xtls.html#password is the
>> question here. It would be nice to know what ssl libs can do SRP or
>> provide the finish message for channel bindings. openssl and gnutls
>> do. What about .dot stuff? J2ME?
> Well, SRP doesn't help for automated entities such as set-top boxes. I
> don't think we want a solution that is too human-centric, because lots
> of projects are using XMPP for communication among machines, devices,
> and so on.
You can be sure I have that in mind :)
There isn't much of a difference between the three solutions in terms of
usability. SRP works fine for set-top boxes, as do channel bindings. All
require a password. A set-top box could use a remote control to enter
the password or a dumb box could have a fixed password.
Black holes suck.
More information about the Security