Peter Saint-Andre wrote: > On 3/4/09 2:40 AM, Dirk Meyer wrote: >> >> Eric Rescorla wrote: >>>>> 2. The XTLS <security/> element enables a party to provide a hint about >>>>> which TLS methods might be used (e.g., "x509" or "srp"), whereas no SDP >>>>> methods are defined for that functionality. I could work with the >>>>> authors of DTLS-SRTP to include something along these lines. >>>> How do they solve the problem of bootstrapping trust? We could force >>>> x509 if we talk to SIP clients, e.g. a SIP client will always support >>>> this methid and has no fallback. I know, that sucks. >>> I'm not sure I understand what the advantage of this functionality is in >>> any case. >> >> The idea behind the method exchange is to know in advance if X.509 >> certificates will work or if we need SRP. For SRP the client has to ask >> the user while X.509 works without any user interaction. > > Dirk, you also mentioned in a private message that the XMPP client might > need to initialize the TLS library in different ways. I don't know > enough about existing TLS libraries to weigh in on that.
My TLS lib (and I guess others) require a certificate for X.509 and a user database for SRP on start-up. So I need the password from the user _before_ I can start the TLS server code. For that, I need to know if we use SRP (I need to ask the user) or not (no user interaction). That reminds me of a bug in the draft: SRP needs a username and a password. We do not need the username stuff, but we need something from the TLS lib. So we should say that the username is the bare JID of the initiator or something like that. It doesn't matter, it could be 'foo', but we need to define something. > Ideally, yes. The question is: what counts as a "special requirement"? > As far as I know, both OpenSSL and GnuTLS now support SRP. I don't know > whether they support channel bindings yet. GnuTLS has support to get the Finished message and Dave wrote that OpenSSL has support for that, too. That is all we need from the TLS lib for SCRAM. > I'd prefer not to build something homegrown I know, I don't like it either > but we can work on this at the IETF. I hope so Dirk -- A morning without coffee is like something without something else.
