[Security] [Jingle] Jingle / e2e security (1)

Peter Saint-Andre stpeter at stpeter.im
Fri Jan 16 15:24:10 CST 2009


Eric Rescorla wrote:
> 
> On Jan 14, 2009, at 2:54 PM, Peter Saint-Andre <stpeter at stpeter.im> wrote:
> 
>> Eric Rescorla wrote:
>>>> Earl wrote:
>>>>> I believe XMPP should use ZRTP and require that ZRTP SASL *must* be
>>>>> displayed
>>>>> so that it can be vocally read to the other party to determine if
>>>>> there
>>>>> is a man in the middle.
>>>>>
>>> I don't think this is very realistic. As I said earlier there are lots
>>> of situations where this doesn't work at all (e.g. IVR). And even in
>>> human to human settings the available data suggests that people will not
>>> actually check the sas.
>>
>> Plus you don't always (or even often) know what the other person is
>> supposed to sound like.
> 
> That said the tls wg has considered doing an sad feature several times.
> A request for that feature from jabber/xmpp would be taken seriously

Once we get the basic "XTLS" stuff nailed, I think it's quite possible
that we'd work together with some other interested parties to define SAS
as a TLS extension. But first things first...

/psa




More information about the Security mailing list