Dave Cridland wrote: >> Well, with SRP we need to know if we need it. Once we started >> certificate based TLS, it is too late to switch to SRP when the >> clients do not recognize the certificates. What XEP-0250 does is >> exchange some information what certificates the clients will use to >> detect if SRP is needed or not. That's all. > > I was under the impression that you could negotiate with your > self-signed certificates, and then one or other end could cause a > renegotiation with SRP, which would be integrity protected with the > previous magic, thus proving the previous X.509 incantation and > current SRP spell were cast by the same entity.
I'm not sure how much TLS libraries support renegotiation. > There's no need for the channel used to run the channel binding > exchange on to the the same as the channel it's binding, rather > curiously - the channel used is expected to potentially have a MITM > present, otherwise there'd be no point in channel binding. > > So we can use the existing XMPP C2S/S2S/S2C hops to actually run the > channel binding on. Inside Jingle: http://xmpp.org/extensions/inbox/jingle-xtls.html#sect-id2254227 Dirk -- Beat me, whip me, make me use Windows!
