-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Zeitz wrote: > Peter Saint-Andre schrieb: >> Peter Saint-Andre wrote: >>> Peter Saint-Andre wrote: >>>> Dirk Meyer has updated the Jingle-XTLS proposal: >>>> >>>> http://xmpp.org/extensions/inbox/jingle-xtls.html >>> Dirk and I have been communicating off-list about this and we will >>> provide an updated version before long -- mostly to simplify the >>> protocol, clarify the error cases, and generalize the spec so that it >>> can be used with both streaming transports (TLS) and datagram transports >>> (DTLS). >> We've updated the spec to version 0.0.3. Dirk and I will probably work >> on it some more over the weekend. :) > >> Peter > > Some comments you two might take into account: > > Up first the encouraging comment: > This is a really well written XEP IMHO. The reasoning for the design > seems quite clear and it is not to lengthy, but still seems to explain > everything necessary (obviously ignoring the parts that are said to be > missing). Keep it that way ;)
Thanks! We added the "approach" section today so that we could more clearly understand what we were doing. I'm glad it was useful for someone else. :) > Criticism and nitpicks: > * Example 3 should probably have action='session-accept' Will fix. > * After "The following rules apply to the initiator's handling of the > session-accept message:" only the 2. case where the certificate could > not be verified is said to require user interaction. I'd personally also > want to be asked what to do if encryption wasn't possible (1. case). Good point. > * As Non-Human Parties may also be (web-)services. Maybe add encrypted > E-mail to section 5.1. E.g. Launchpad knows your GPG-key, so they could > in theory send you encrypted mail with a PIN. > Or/and possibly something more general along the lines of: "If possible > any out-of-band method a human could use to convey the PIN is > practicable too" E.g. a Asterisk PBX may call you and 'read' a PIN to > you (whether sth. like this would be secure depends on the type of > telephony and suspected MITM attack of course, but that's a different topic) Those are helpful suggestions, thanks. > * Example 10 might need some ellipsis. XTLS being the only feature seems > unlikely. I've started removing the ellipses from the XML because I like to validate the examples. See here: http://xmpp.org/extensions/examples/ > * Possibly add some notes about bot2bot verification of certificates > (using a CA I'd suspect) Yes that seems the likely approach. In fact we have a CA so it could start issuing client certificates. Thanks for the feedback, you've inspired me to keep working on this. :) Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmfffsACgkQNL8k5A2w/vwZ5wCg56i5Rm197pmVdU1XGWtFrt0l JXUAoNVB2zvlIr3hn/YvMcbNjkrJs+SO =LA6G -----END PGP SIGNATURE-----
