[Security] TLS Certificates Verification

Dirk Meyer dmeyer at tzi.de
Wed Aug 20 07:30:29 CDT 2008


Jonathan Dickinson wrote:
> Somehow the user would have different certificates for different
> resources. This would allow me to assert that jack sent the message
> and he is at home.

That is why I wanted to have user certificates and client certificates.

> More appropriately, if I have 15 killer robots I could give them
> different resources, but the same bare JID. I would then be able to
> tell for sure which the message came from (e.g. Arnold manages to
> catch one and starts impersonating it, but the others are still
> secure). You could just give each a completely different JID, but
> somehow this has some attractive properties.

All your killer robots should only have a client certificate that is
signed somehow (CA vs. web of trust, see my other mails) by your
client key. Now when Arnold takes over one of your robots you revoke
that client key with your user key. All other robots can still kill in
your name. And all robots will share your base JID.

You as user have one JID with one user certificate and a server
password to log in. Your robots all have the server password to log in
and create a unique full JID. They all get a unique client certificate
signed by the user certificate.


Dirk

-- 
ACK and you shall receive.


More information about the Security mailing list