Peter Saint-Andre wrote: > Dirk Meyer wrote: >> Peter Saint-Andre wrote: >>> Dirk Meyer wrote: >>>> I think even when using the phone, we would agree on a password. It is >>>> not very userfriendly to compare X.509 fingerprints. >>> Agreed. So I suppose the question is, when and how is the password >>> shared? Is that done via TLS-SRP or somehow after the TLS exchange via SASL? >> >> Right. http://xmpp.org/extensions/inbox/jingle-xtls.html#password is the >> question here. It would be nice to know what ssl libs can do SRP or >> provide the finish message for channel bindings. openssl and gnutls >> do. What about .dot stuff? J2ME? > > Well, SRP doesn't help for automated entities such as set-top boxes. I > don't think we want a solution that is too human-centric, because lots > of projects are using XMPP for communication among machines, devices, > and so on.
You can be sure I have that in mind :) There isn't much of a difference between the three solutions in terms of usability. SRP works fine for set-top boxes, as do channel bindings. All require a password. A set-top box could use a remote control to enter the password or a dumb box could have a fixed password. Dirk -- Black holes suck.
