[Security] TLS Certificates Verification

[Peter Saint-Andre]

Eric Rescorla wrote:

> So, again, I think it would be best to separate two issues:
> 
> (1) What style of authentication you want.
> (2) What protocol it's embodied in.
> 
> I think we can all agree on the following:
> (1) You must have an operational mode that doesn't require certified
> public keys.
> (2) There needs to be some continuity of authentication mechanism so whatever
>      manual authentication stage only needs to be done once.
> (3) The manual authentication stage should be as convenient as possible.
> (4) The system needs to work with Bots on the other end.

Thanks, that's helpful.

> As I indicated in my blog post,
> http://www.educatedguesswork.org/2008/08/authentication.html
> there are a number of potential options, including fingerprints, passwords,
> and SAS. Each has some advantages and disadvantages, and it may
> be the case that you need to have multiple options.
> 
> Speaking as someone who knows COMSEC but isn't really part of the XMPP
> community, I would encourage you to try to figure out what *style* of
> authentication
> you want and what the constraints are, and then ask what protocol best suits
> or can be made to best suit those needs.

The thinking behind ESessions and some of the discussion here indicates 
an interest in drop-dead-simple authentication so that your average user 
can experience the benefits of encryption. No CA-issued certs or PGP 
keys to manage, no fingerprint checking required, etc.

Personally I'm fine with fingerprint checking, which is especially easy 
if my contact has published a fingerprint to a web page. But not 
everyone has a web page. Besides, how do I know that the URL advertised 
in your electronic profile is really yours (couldn't your server modify 
your profile?). Some of this is solved in social ways (e.g., the URL for 
my blog is fairly well known, I post frequently to discussion lists and 
provide a link to a contact page, etc.), but for the average user it 
might not be feasible to check fingerprints.

As far as I can see, SAS requires checking out of band. But I might not 
even know how to contact you out of band -- e.g., via phone or encrypted 
email. Furthermore, the average user doesn't sign or encrypt their 
email. So we're left with the phone, which is not necessarily convenient 
(how do I find your phone number?) or secure (how do I know that the 
phone number in your electronic profile is really yours, how do I know 
what you're supposed to sound like if I've never talked with you?). And 
SAS doesn't help our automated friends (yes, "bots are people too!").

Passwords (a la SRP) are interesting. They require some shared context 
(e.g., the password is the name of that bar where we had a beer last 
week, the city where we first met, the last song released by a band we 
both like, the nickname of that weird guy in the chatroom). But 
typically people who are communicating over XMPP have some kind of 
shared context, whether that is gained from interacting IRL, 
communicating via email or web forums or blogs or IM, sharing some 
interest, etc. In the age of Facebook and (to some extent) a common 
worldwide culture, presumably some passwords could be guessed, but they 
could be made harder to guess if people really care to. Plus, I think 
that a mutual, shared passphrase feels familiar to people in a way that 
fingerprints and short authentication strings don't (it brings back 
memories of secret phrases among children and such). And bots could 
generate passphrases in some automated ways that I'm not creative enough 
to think of right now.

Anyway, those are some random musings. Maybe someone will find them 
helpful...

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/957671a5/attachment.bin