[Security] TLS Certificates Verification

Dirk Meyer dmeyer at tzi.de
Tue Aug 19 16:50:42 CDT 2008


Jonathan Dickinson wrote:
> Requiring serverless messaging is a deceiving lure.
>
> What if the client is behind a symmetric NAT? Or some NAT that
> simply doesn't working with STUN (or ICE/SIP/whatever)? They can't
> open a encrypted session?

No, in that case they need the "help" of a server. IMHO the real use
case for serverless messaging is in the LAN. Back to my application
control using XMPP: I want to access my set-top box from other devices
in my LAN even if my DSL link is down.

> If there is a XEP that defines a stream in a stream (I think there
> was), one would open a new stream to a remote contact and simply do
> a starttls. In the case that both clients can be accessed (if they
> are behind a supporting NAT, or have a public IP) they can open the
> stream to each other directly and do a starttls.

That is the basic idea of XEP-0247 with the help of XEP-0246. We either
use serverless messaging or XEP-0247 to open a "connection" to the
peer and use XEP-0246 to open a new stream and use starttls. The
question we had (and that is the reason I started the discussion) is:
how to verify the TLS certificates.


Dirk

-- 
Unix: because daemons should serve men, not the other way around.


More information about the Security mailing list