[jdev] manifesto & DANE does not cut it

Ralf Skyper Kaiser skyper at thc.org
Tue Nov 19 13:07:16 UTC 2013


On Tue, Nov 19, 2013 at 12:29 PM, Thijs Alkemade <thijs at xnyhps.nl> wrote:

> On 19 nov. 2013, at 12:58, Ralf Skyper Kaiser <skyper at thc.org> wrote:
> > Hi
> >
> >
> > On Tue, Nov 19, 2013 at 11:37 AM, Simon Tennant <simon at buddycloud.com>
> wrote:
> Automatic key pinning works for SSH, because private keys are rarely
> changed
> and people are more tech-savy than average XMPP users. If you start doing
> this
> for XMPP, you'll see a lot of false positives. I doubt you can convince a
> large part of the network to start using self-signed certificates valid
> for a
> long time. Every time a user who doesn't understand the security
> implications
> removes a pin, the security of the system is weakened because it makes MitM
> attacks easier. The manifesto requires software to be able to inform users
> when a certificate changes and I think this is the right approach to
> automatic
> pinning.

By 'average XMPP user' you mean 'average XMPP Server admin' I think.

The user only sees a new certificate if the admin chooses to create a new
key on the same domain name.

The average XMPP server admin is tech-savy. I think I would go as far as
saying that the average
XMPP server admin is more tech-savy than the average apache admin - and
are going to support pinning soon.

There are enough fallbacks to help the tech-unsavy admin if he looses the
key and has to create a new key:
- Can use a new domain (jabber-1.mydomain.org becomes jabber-2.mydomain.org
- Can ask all users to reinstall the jabber client
- Can ask all users to manually remove the pinned key from the client
- Can use 'reverse fingerprinting' where the user can remove an old pinned
key by entering the fingerprint of the new certificate.
- Backup Key (requires protocol change?)

> But right now this is just a proposal, with no working code to go with it.
> With the manifesto going in affect on May 19 2014, I think making this a
> required part of it would be too soon.

Can we add it as an optional goal for May 19 2014?

> [1] = https://tools.ietf.org/html/draft-ietf-websec-key-pinning-08
> [2] = https://tools.ietf.org/html/draft-perrin-tls-tack-02
> [3] = http://mail.jabber.org/pipermail/standards/2013-November/028229.html

Thanks for [3]!

> Regards,
> Thijs
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131119/f93d8283/attachment.html>

More information about the JDev mailing list