Justin Karneges wrote:
> On Tuesday 13 January 2009 15:16:23 Peter Saint-Andre wrote:
>> According to my reading of RFC 4568, SDP Security Descriptions MUST NOT
>> be used unless the signalling channel (that's XMPP for us) can "provide
>> strong message authentication and packet-payload encryption, as well as
>> effective replay protection". Because we don't provide those services in
>> XMPP out of the box, I don't think we can securely use a=crypto (or our
>> XMLish flavor of a=crypto as currently described in XEP-0167). But we
>> might be able to use it if we negotiate XTLS (or some other e2e method)
>> first.
>
> I'm of the opinion that requiring e2e encryption to bootstrap secure oob
> sessions is perfectly acceptable. Relatedly, I'm of the opinion that having
> oob sessions inherit the security properties of XMPP helps avoid confusion.
+1
We already have SRTP support by sending the encryption parameters in
Jingle. If we do the whole VoIP Jingle negotiation over an e2e secure
stream, we have perfect security; e2e security for text chats gives us
SRTP support for free.
Dirk
--
Five exclamation marks, the sure sign of an insane mind.
-- (Terry Pratchett, Reaper Man)
