[Security] Reminder :: Draft feedback on "C2C authentication using TLS"

Johansson Olle E oej at edvina.net
Sun Aug 24 13:37:25 CDT 2008


Everyone,

Just a kind reminder to read and comment on Dirk's proposal, so that  
we can improve/approve/disapprove this document :-)

http://www.tzi.de/~dmeyer/tlsauth.html

Thanks,
/O

----- From the document: --------------------------------------

Introduction

For secure client-to-client (C2C) communication the clients can use  
Link-Local Messaging [1] or Jingle XML Streams [2] to open a  
connection between the two clients. To open an XMPP connection End-to- 
End XML Streams [3] defines a stream setup similar to the setup used  
by client-server communications. To secure the communication the  
extension defines the use of Transport Layer Security as defined in  
RFC 4346 [4] for encryption and authentication. XEP-0246 suggest to  
use the OpenPGP TLS extension but does not specify how to negotiate if  
both peers support the extension and if they are able to verify the  
OpenPGP key. It makes no sense to use OpenPGP instead of H.509  
certificates if there is also no trust on OpenPGP level. This document  
describes how to negotiate how to use TLS to exchange possible  
extensions and key fingerprints before the actual TLS handshake.

After the TLS handshake both communication partners MUST be sure that  
they are communicating with the correct person without a man-in-the- 
middle.






More information about the Security mailing list