[Security] TLS Certificates Verification (summary)
Dave Cridland
dave at cridland.net
Wed Aug 20 05:08:24 CDT 2008
On Wed Aug 20 07:37:32 2008, Johansson Olle E wrote:
> 1) XMPP often uses (and the XMPP foundation strongly recommends)
> TLS between client and server. Within server, the messages are in
> the clear. Thus, it gives no secure channel between two end
> points. Also, between two endpoints connecting to servers with
> TLS, there could be a non-TLS connection server-to-server (S2S).
> So even with a TLS connection between a client and a server, we
> can't assume that we have security end-to-end. We need to set that
> up. This discussion is about how to set up confidential and
> authenticated client-to-client sessions, based on the this
> scenario.
Right, good summary.
> 3) Clients may be behind NAT, so even a client-to-client direct
> session may need help from a server (proxy). This will have to be
> considered.
This is a non-issue - we have Jingle, so we have the ability to
negotiate various channels, at least one of which (IBB) will work
through any amount of NATs and firewalling, albeit at a cost of
efficiency and ugliness. Really, this whole debate about IBB vs NATs
vs whatever is immaterial; we have Jingle specifically to solve all
these problems, and it passes the buck to ICE-TCP et al to solve the
tricky cases.
> 5) Not all clients are human. We need solutions, but maybe not one
> solution, for
> - human clients on some sort of computer
> - bots with a delegation from a human (set-top-boxes)
> - applications (XMPP is used as middleware)
For reasons concerning the retention of my santity, at least, I'd
prefer these to be as common as possible.
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Security
mailing list