Eric Rescorla wrote:
What Dave is suggesting, I think, would be a garden variety TLS handshake with whatever ciphersuites you already support and self-signed certs. Then you'd run SASL with some challenge/response protocol and channel bindings (you'd almost certainly want mutual auth here) and then on the basis of the C/R note that you trusted the peer's self-signed cert.
Yes I think that about sums it up. /psa
smime.p7s
Description: S/MIME Cryptographic Signature
