[Security] TLS-SRP Questions
jonathanD at k2.com
Thu Aug 21 09:42:12 CDT 2008
And my hard-laboured formatting got messed up.
Flat, but harder to understand:
Initiator opens connection
Target gets connection and presents certificate
Initiator verifies certificate with IC -> Fail if invalid
Initiator presents certificate
Target verifies certificate -> Fail if invalid
The point is, from what I can tell, TLS supports all of that. Sorry, my TLS literature isn't as good as some of the rest of you ;).
> -----Original Message-----
> From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
> Behalf Of Jonathan Dickinson
> Sent: Thursday, August 21, 2008 4:37 PM
> To: XMPP Security
> Subject: Re: [Security] TLS-SRP Questions
> > -----Original Message-----
> > From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
> > Behalf Of Eric Rescorla
> > Sent: Thursday, August 21, 2008 4:13 PM
> > To: XMPP Security
> > Subject: Re: [Security] TLS-SRP Questions
> > ...
> > >
> > > May be a n00b comment, but If we had verifiable certificates (via
> > IC) the client is given the opportunity to present their certificate.
> > am not sure how this works, all that I have to go on is that in .net
> > TLS streams there is an event called PresentClientCertificate (or
> > something along those lines).
> > I'm not sure I understand the question...
> From what I can tell (I haven't gotten to using the API yet, other
> things still to do on my server), a mutual exchange of certificates is
> possible. Out of the scope of this document I would assume that means
> that a client would be able to give their certificate to a server and
> authenticate that way (the reason for SASL External I assume).
> In a similar fashion, if we use TLS XMPP IBB the initiator can be seen
> as the client. Thus:
> Initiator --> TLS via XMPP --> Target -----\
> /-- Target <--- (Initiator certificate) <--/
> \--> Cert ok? --> (Target certificate) --\
> Success <-- Cert ok? <-- Initiator <-----/
> Best viewed at 1024x768 in your console of choice ;).
> > -Ekr
More information about the Security