[Security] TLS Certificates Verification - client/user certificates

Johansson Olle E oej at edvina.net
Wed Aug 20 08:05:20 CDT 2008


20 aug 2008 kl. 14.30 skrev Dirk Meyer:

> Jonathan Dickinson wrote:
>> Somehow the user would have different certificates for different
>> resources. This would allow me to assert that jack sent the message
>> and he is at home.
>
> That is why I wanted to have user certificates and client  
> certificates.
I think that's a very interesting idea.
"User certificate" - id of the owner of the account
"client certificate" - delegation by the user certificate, to get  
access to the account resources.

The client certificate could have fields for a couple of parameters,  
like:
- Limited presence (only allowing negative presence, for bots)
- No messaging
- Service discovery on/off
- Roster access
- unique resource name for this client

Or?

So for a social network type of site, I could assign a client cert  
that only
gives access to my roster, but not anything else.

>
>
>> More appropriately, if I have 15 killer robots I could give them
>> different resources, but the same bare JID. I would then be able to
>> tell for sure which the message came from (e.g. Arnold manages to
>> catch one and starts impersonating it, but the others are still
>> secure). You could just give each a completely different JID, but
>> somehow this has some attractive properties.
>
> All your killer robots should only have a client certificate that is
> signed somehow (CA vs. web of trust, see my other mails) by your
> client key. Now when Arnold takes over one of your robots you revoke
> that client key with your user key. All other robots can still kill in
> your name. And all robots will share your base JID.
>
> You as user have one JID with one user certificate and a server
> password to log in. Your robots all have the server password to log in
> and create a unique full JID. They all get a unique client certificate
> signed by the user certificate.

Interesting example. I kind of prefer the Capulets to killer robots,
but I understand where you're going :-)

/O


More information about the Security mailing list