[Security] Hosted solutions - client/user certs

Dirk Meyer dmeyer at tzi.de
Fri Aug 22 11:57:23 CDT 2008


Hi,

Johansson Olle E wrote:
> There are several phone clients for IM, the most recent one I
> discovered being MobileChat for iPhone, that builds on a model where I
> have to trust them with my credentials for my jabber service. I
> don't.

Same here. :)

> And if I do trust them, then change my mind, I have to ask my XMPP
> server manager to change my password or do it myself, then just hope
> that it's going to work out for the best. Then I have to change
> password stored in all my clients and devices. There's nothing on the
> web site that helps me to evaluate the trust I should put in them and
> their service.

To help you not contacting the admin would be a XEP to change the
password. Sounds like something very usefull to me.

> Now, if I could issue a client cert for them, signed with my user
> cert, I could revoke that in the server and still keep all my other
> credentials valid.

That is a very, very nice idea. The client could create a certificate
(maybe self-signed) and you upload it to the XMPP server to use
this. There already is XEP-0178 how to use certificates and not
passwords. This is also a very good idea about how to handle a bot if
the device is stolen or hacked: I could just remove the certificate.

Outline for a XEP: Changing User Credentials

1. A client can add a certificate (self-signed or not does not matter)
   to the server to use for SASL-EXTERNAL. The verification that this
   is the correct certificate is out of the scope of that XEP. Each
   certificate is combined to a name that can not be changed
   later. This makes it possible for the user to know what clients can
   log-in and the "not changable" prevents a bad client from renaming
   itself.

2. A client can remove a certificate at any time. Clients with that
   certificate can not log in anymore. Optional: if a client is logged
   in right now it is kicked out. A server must keep track on how a
   client used SASL.

3. A client can change the password for the account. To do that it
   needs the old password. This prevents a compromised client with a
   certificate to lock me out of my account.

If I do not trust a client anymore I use my password to remove that
client and I'm done.

I like that.

Dirk

-- 
Never put off until tomorrow what you can do the day after.


More information about the Security mailing list