Dave Cridland wrote:
For "real" authentication, you'd want to use SASL between the client and the MUC service, but if you did this, a rogue server could still intercept the normal MUC messages. So what you need to do is have integrity protected and encrypted messages, which effectively means needing either to establish MUC/XTLS
Yes I was thinking about that over the weekend. :)
These are nice long-term goals, of course, but I don't think they're worth insisting on doing right now.
Agreed. /psa
smime.p7s
Description: S/MIME Cryptographic Signature
