Dirk Meyer wrote: > Peter Saint-Andre wrote: >> FYI, our latest attempt based on discussions in Brussels... > [...] >> URL: http://www.xmpp.org/extensions/inbox/jingle-xtls.html > > I would like to hear some comments on section 4. Both from people who > want to implement it (what does your TLS lib provide?) and from security > experts (what do you think of 4.3?).
Some general comments: 1. I like the idea of the security-info message as a check to make sure that the responder has received and understood the <security/> element. 2. Let's make it clear that the TLS handshake takes place as usual (i.e., these are "raw" TLS packets not encapsulated in XML). 3. When does a user (if any) approve of proceeding with the session? I assume this happens before the session-accept is sent, because the user's client might expose IP addresses during transport setup. I'm still working to wrap my head around the SRP/PSK/SCRAM/other stuff, but in general I'd prefer to use a standardized mechanism than to roll our own (cf. esessions....). /psa
smime.p7s
Description: S/MIME Cryptographic Signature
