On Tue, Aug 19, 2008 at 10:48 AM, Dave Cridland <[EMAIL PROTECTED]> wrote: > On Tue Aug 19 18:33:53 2008, Eric Rescorla wrote: >> >> Actually, this is a lot more complicated than it has to be. TLS has two >> features that make this trivial to do and that don't rely on certificates >> >> 1. A PAKE mode (SRP)[0] > > I see how this works, but you're asking for quite a bit of less than usual > TLS magic involved. > > Could we use a simple, channel-binding, shared-secret based SASL mechanism?
Yes, you could, but like TLS-PSK it's susceptible to active dictionary attacks on the shared secret. I haven't entirely worked out what the threat situation is there in terms of the impact on this kind of attack. I don't know if XMPP stacks can typically use SASL, so that would presumably be relevant to the PSK versus SASL question. And note that again you can just use the session cache: you don't need to learn the certs necessarily. > I've the thought in my head that we could make this essentially the same as > Bluetooth keying, using the channel binding to "learn" the certificates. Yes, that's effectively what I'm proposing. -Ekr
