[Security] SImple CA - client/user delegation (new topic)

Dirk Meyer dmeyer at tzi.de
Sat Aug 23 09:36:25 CDT 2008


Johansson Olle E wrote:
> Now, in the case of client/user delegation, we could in theory
>
>  * create a new key pair for the client - the device
>
>  * sign the public key with the "user account"'s private key
>
>  * in this signed document - regardless of format  include a full jid
> - basic jid and resource - of the client
>  * send the signed document to the server

That sounds similar to what I suggest some days ago. Since we need a
way to revoke a key we should not use the internal X.509 certificate
chain and create a small one in XMPP. We do not need a long chain,
only one sign for a client key and we can use pubsub to handle it.

For an earlier post from me (with a small modification):

| <iq type='result'
|     to='romeo at montague.net/garden'
|     from='juliet at capulet.com'
|     id='items1'>
|   <pubsub xmlns='http://jabber.org/protocol/pubsub'>
|     <items>
|       <item id='julietX509cert1hash'>
|         <key node='urn:xmpp:tmp:pubkey' type='user'>
|           <KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'>
|             <KeyName>julietX509cert1hash</KeyName>
|             This is the public part of me user key
|           </KeyInfo>
|         </key>
|       </item>
|       <item id='julietX509cert2hash'>
|         <key node='urn:xmpp:tmp:pubkey' type='client'>
|           <KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'>
|             <KeyName>julietX509cert1hash</KeyName>
|             This is a client key with signatures from my user key
|           </KeyInfo>
|         </key>
|       </item>
|       <item id='julietX509cert3hash'>
|         <key node='urn:xmpp:tmp:pubkey' type='client'>
|           <revoked>
|             This is a client key from a client I do no longer trust.
|             The revoke must also be signed by my user key
|           </revoked>
|         </key>
|       </item>
|     </items?
|   </pubsub>
| </iq>

This would help me handle all my client keys.

> And yes, there was a lot of mushroom in the forest :-). Back to the
> kitchen...

Maybe my problem is deeper: we do not only have a lack of mushrooms in
the city, we have a lack of forests :)


Dirk

-- 
A day without sun shine is like, you know, night.


More information about the Security mailing list