-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter Saint-Andre schrieb: > Peter Saint-Andre wrote: >> Peter Saint-Andre wrote: >>> Dirk Meyer has updated the Jingle-XTLS proposal: >>> >>> http://xmpp.org/extensions/inbox/jingle-xtls.html >> Dirk and I have been communicating off-list about this and we will >> provide an updated version before long -- mostly to simplify the >> protocol, clarify the error cases, and generalize the spec so that it >> can be used with both streaming transports (TLS) and datagram transports >> (DTLS). > > We've updated the spec to version 0.0.3. Dirk and I will probably work > on it some more over the weekend. :) > > Peter > Some comments you two might take into account:
Up first the encouraging comment: This is a really well written XEP IMHO. The reasoning for the design seems quite clear and it is not to lengthy, but still seems to explain everything necessary (obviously ignoring the parts that are said to be missing). Keep it that way ;) Criticism and nitpicks: * Example 3 should probably have action='session-accept' * After "The following rules apply to the initiator's handling of the session-accept message:" only the 2. case where the certificate could not be verified is said to require user interaction. I'd personally also want to be asked what to do if encryption wasn't possible (1. case). * As Non-Human Parties may also be (web-)services. Maybe add encrypted E-mail to section 5.1. E.g. Launchpad knows your GPG-key, so they could in theory send you encrypted mail with a PIN. Or/and possibly something more general along the lines of: "If possible any out-of-band method a human could use to convey the PIN is practicable too" E.g. a Asterisk PBX may call you and 'read' a PIN to you (whether sth. like this would be secure depends on the type of telephony and suspected MITM attack of course, but that's a different topic) * Example 10 might need some ellipsis. XTLS being the only feature seems unlikely. * Possibly add some notes about bot2bot verification of certificates (using a CA I'd suspect) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmfdy4ACgkQ0JXcdjR+9YQ9uACffp7aWcK6rSz9s2CiCvKW7PYX 1c4An1IKXjIv/pzJr7Rnxb+8kYXv+qH8 =1QhP -----END PGP SIGNATURE-----
