Werner Dittmann spake unto us the following wisdom: > Am 14.06.2012 15:22, schrieb Ethan Blanton: > > David Woolley spake unto us the following wisdom: > >> [email protected] wrote: > >> It seems to be encryption without authentication, which means it is > >> vulnerable to man in the middle attacks. > > > > Authentication can be handled by the signalling protocol that sets up > > the RTP stream. > > Yes, but you must make sure that you have secure connections on the > signalling level and this is not always guaranteed. Depending on the > authentication method you need support of SIP and/or XMPP servers.
First off, this discussion has gone far enough, there's no need to continue discussing the finer points of authentication and encryption via protocols we don't support on the Pidgin support list. This will be my last email on the topic. Second, this is misleading-to-untrue. Yes, depending on the method you use, you may need support of the servers. However, no reasonable end-to-end method in either of these specific protocols will require server support, as both protocols support application-specific data exchange between peers. In the case of XMPP, no support is required from the server whatsoever for V/V to begin with, much less for encrypted V/V. In summary: * Pidgin does not support ZRTP, but there is no fundamental reason it could not do so. An interested developer could add ZRTP support to farstream or libpurple or whatever; farstream would get it to a wider audience, no doubt. * ZRTP does not handle key exchange and authentication because the session initiation protocol does so on its behalf. * Neither XMPP nor SIP requires active server participation in encrypted V/V, although there may be some benefits that could be derived from server involvement (particularly where NATs and firewalls get involved). I suspect on the XMPP side that IBB et al. are plenty sufficient, however, and no specific server involvement is required. So ... it would be awesome if someone wanted to work on this. As far as I know, no active Pidgin developer is doing so. Bonus points for tie-in with GPG, OTR, S/MIME, or other authentication mechanisms already in use. Ethan
signature.asc
Description: Digital signature
_______________________________________________ [email protected] mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
