[xmppwg] Review of draft-meyer-xmpp-sasl-cert-management-01

Eric Rescorla ekr at rtfm.com
Sat Mar 21 09:22:34 CDT 2009


On Sat, Mar 21, 2009 at 2:39 AM, Dirk Meyer <dmeyer at tzi.de> wrote:
> Eric Rescorla wrote:
>> S 3.
>> I think it's important to be clear on what role certificates are playing
>> here. As far as I can tell, they're basically being used as a key
>> carrier, because that's what TLS requires. Accordingly, the rest
>> of the contents of the cert aren't really that important, just
>> the public key.
>
> Yes. The certificate is just a carrier for a unique identification. All
> additional information in the certificate (e.g. country) does not
> matter.

My point is that the name is superfluous as well.


>> S 5.
>> There needs to be a requirement that this happen over TLS, no?
>
> I don't understand. In 5.6 TLS is started. The stuff before happens over
> the raw stream, everything from 5.8 is TLS secured. I don't know what
> you want to add here.

I'm talking about the certificate management operations *before*
the client certificate has been uploaded.


>> You probably need to specify what goes in the CertificateRequest,
>> since that's intended to include CAs but there won't be any
>> here. Probably empty...
>
> Request what you want,

It's more complicated than that. SOMETHING needs to go in that
field, and if you don't provide guidance, people will screw it up.



>> S 7.
>> Again, why does expiration matter here?
>
> We have to specify how to handle expired certificates or some servers
> will respect the expiration date and some will not. I found it strange
> to require that the date should be ignored.

If you want an expiration date, it should be carried in the management
protocol, not here.


>> S 8.
>> This may be quite hard to implement if, for instance, servers
>> fork for each client.
>
> I leave that to server developers to answer. IMHO it is a must have
> feature for stolen devices. If someone steals my mobile phone, I want to
> remove it from the list. In fact, that is the whole reason why I wrote
> that draft. I want to be able to remove clients and if they all share
> the same password this is not possible.

There's a distinction between "remove from the list" and "terminate
any existing connections." I'm talking about the second. And given
that the user of the stolen mobile phone could potentially change
the certificate list, locking you out entirely, I'm not convinced this
is that important a feature, especially given the implementation
burden.

-Ekr


More information about the xmppwg mailing list