On Thu Aug 21 16:37:55 2008, Hannes Tschofenig wrote:
TLS-SRP does not make a lot of sense in the context of end-to-end
security between two clients.
If you exchange a shared secret along the signaling path then you
can feed that right into TLS-PSK without the need to use TLS-SRP.
That is, however, not ideal either (from a security point of view).
Instead, you might just want to use the same stuff that was done
with DTLS-SRTP where the fingerprint of a cert is exchanged along
the signaling path to be later compared to the certs being
exchanged in the DTLS (or TLS run).
Aren't you making the assumption that the signalling path is secure,
here? In our case, it's that path we're assuming is untrustworthy,
hence the need for this secured channel.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
