Dirk Meyer wrote: > Justin Karneges wrote: >> On Tuesday 13 January 2009 15:16:23 Peter Saint-Andre wrote: >>> According to my reading of RFC 4568, SDP Security Descriptions MUST NOT >>> be used unless the signalling channel (that's XMPP for us) can "provide >>> strong message authentication and packet-payload encryption, as well as >>> effective replay protection". Because we don't provide those services in >>> XMPP out of the box, I don't think we can securely use a=crypto (or our >>> XMLish flavor of a=crypto as currently described in XEP-0167). But we >>> might be able to use it if we negotiate XTLS (or some other e2e method) >>> first. >> I'm of the opinion that requiring e2e encryption to bootstrap secure oob >> sessions is perfectly acceptable. Relatedly, I'm of the opinion that having >> oob sessions inherit the security properties of XMPP helps avoid confusion. > > +1 > > We already have SRTP support by sending the encryption parameters in > Jingle. If we do the whole VoIP Jingle negotiation over an e2e secure > stream, we have perfect security; e2e security for text chats gives us > SRTP support for free.
Correct. So my message "Jingle / e2e security (2)" will be about IM. :) Peter
