Am 19.08.2008 um 14:13 schrieb Eric Rescorla:
Yes, I've noticed we're all using that.
We do. For example, all Gajim users do by default. This is why I'm *STRONGLY* against introducing yet another protocol. We already have working implementations.
Hmm... Is this the most recent version? http://www.xmpp.org/extensions/xep-0116.htmlI've just skimmed it, but the list of things it appears to be missing thatare already in TLS includes: - Support for ECC - Support for RSA - Any form of session resumption - An extensions framework - Support for AEAD ciphers - A PAKE mode.Oh, yeah, is there some writeup of how the stanzas are actually protected once you've established the keys? I see how you negotiate the *encryption* algorithm but not the integrity algorithm and I don't see how you use either to protectthe actual traffic. Maybe I'm just reading the wrong document.
This is just the negotiation. ESessions consists of multiple XEPs. I don't know which of the negotiation XEPs was the simpliefied one. But IIRC, there was RSA support for public keys (but I won't guarantee it).
Look, I'm not trying to sell TLS to XMPP; it doesn't matter to me much what XMPP does. But if you want to provide a solution that users willactually find tolerable, it seems to me that it would be good to actuallyassess what functionality you want the system to provide and *then* ask how it can best be provided, rather than starting with a given protocol and say "prove to me it's not good enough".
IMO, ESessions is already tolerable. We should fix the remaining issues instead of inventing the wheel again with yet another protocol. And while TLS for end-to-end is talk about the future, ESessions is already here and implemented.
-- Jonathan
PGP.sig
Description: This is a digitally signed message part
