[Security] TLS Certificates Verification

Peter Saint-Andre stpeter at stpeter.im
Tue Aug 19 16:37:23 CDT 2008


Jonathan Schleifer wrote:
> Dirk Meyer <dmeyer at tzi.de> wrote:
> 
>> You open a stream from client to client. It could be based on In-band
>> bytestreams. Normally used for file transfer and stuff like that we
>> use it to open a new stream. So you have one stream to the server and
>> one stream (maybe tunneled through the server) to the other
>> client. You can open as many streams to other clients as you want.
> 
> So you encode that XML stream in base64 and transfer it inbound? Ah,
> ok. That explains how you can have more than one of them. But this
> looks VERY hacky to me. Base64 encoded XML in XML.

It's not hacky, it's a clever hack:

1. Negotiate a reliable transport (could be a direct TCP connection, 
could be in-band bytestreams over XMPP, whatever).

2. Start an XML stream.

3. Upgrade the stream to encrypted using STARTTLS.

You'll notice that this is exactly what we already do for XMPP as 
defined in RFC 3920. It's just that for end-to-end streams the transport 
might not be a direct TCP connection as in RFC 3920.

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/04d22fe5/attachment.bin 


More information about the Security mailing list