[Free-RTC] QR codes, mobile SIP provisioning, TLS certs
Saúl Ibarra Corretgé
saghul at gmail.com
Fri Jul 8 18:09:00 CEST 2016
>>
>> I followed the thread, good talk! Here is a completely different
>> approach: make the information in the QR code insecure by design.
>>
>> Not sure if this is the case, but I got inspired by how WhastApp does
>> it. The QR code needs to be displayed somewhere. Where is that? If
>> that's a website where the user already logged in, the dynamically
>> generated QR code could have some plaintext data with the user account
>> credentials.
>>
>> Now, if we also want to provision the TLS cert, then passing a URL
>> pointing to it and the expected fingerprint should work (right?).
>>
>
> To clarify the reason I mentioned QR codes in the first place, it is
> only for user convenience. Although humans can't read the QR codes,
> they are not "secure", just obscure
>
> I don't see any reason we can't let the user see the provisioning URL
> and credentials and enter them manually, but the more convenient we make
> it the more people will use it.
Agreed. I never meant to imply they would need to be obscured in any way.
So, the information we would encode could be:
- account URI
- password
- server / outbound proxy (optional)
- TLS cert URL
- TLS cert fingerprint
Anything else?
--
Saúl Ibarra Corretgé
http://bettercallsaghul.com
More information about the Free-RTC
mailing list