Dave Cridland wrote:
On Tue Aug 19 19:03:06 2008, Eric Rescorla wrote:What Dave is suggesting, I think, would be a garden variety TLS handshake with whatever ciphersuites you already support and self-signed certs. Then you'd runSASL with some challenge/response protocol and channel bindings (you'd almost certainly want mutual auth here) and then on the basis of the C/R note that you trusted the peer's self-signed certRight.The interesting thing being that - assuming the shared secret mechanism is something like SCRAM - this could be the same mechanism we use to authenticate normally with the server - so there's really virtually no new code involved, potentially, and it makes the general operation even closer to "normal" XMPP channel setup.
Is this the best documentation of SCRAM? http://tools.ietf.org/html/draft-newman-auth-scram-06I doubt that will be done by the time we're ready to finish rfc3920bis, but you never know (we also have a dependency on IDNA and that story is far from over).
/psa
smime.p7s
Description: S/MIME Cryptographic Signature
