[Security] Reminder :: Draft feedback on "C2C authentication using TLS"

Dirk Meyer dmeyer at tzi.de
Mon Aug 25 04:48:35 CDT 2008


Jonathan Schleifer wrote:
> Am 24.08.2008 um 20:59 schrieb Dirk Meyer:
>
>> You could put the stuff I added as <offer> to the disco stuff. But it
>> must also work serverless. And when I work link-local I can not use
>> disco#query before connecting.
>
> For link-local, we can just try. But opening a direct connection and
> then trying STARTTLS and failing - that'd be stupid. So therefore, we
> should check before opening a connection when we're not link-local.

Looking at XEP-0030 I see nothing that fits. But we we use the rule
that a client ignores a tag if it does not know the namespace and that
you can add a tag everywhere I see two choices.

The first one is to add the offer directly in disco#query:

<iq type='result'
    from='balconyscene at plays.shakespeare.lit'
    to='juliet at capulet.com/balcony'
    id='info3'>
  <query xmlns='http://jabber.org/protocol/disco#info'>
    <identity .../>
    <feature var='http://jabber.org/protocol/disco#info'/>
    ...
    <feature var='urn:xmpp:tmp:tlsauth'>
      <offer xmlns='urn:xmpp:tmp:tlsauth'>
        <x509 fingerprint='certificate-fingerprint'/>
        <openpgp fingerprint='openpgp-fingerprint'/>
        <srp/>
      </offer>
    </feature>
  </query>
</iq>

The other idea is to use disco#items .... while wanting to write down
an example I noticed that this would be a very bad hack. We could also
create our own query in the urn:xmpp:tmp:tlsauth namespace:

<iq type='get'
    from='juliet at capulet.com/balcony'
    to='balconyscene at plays.shakespeare.lit'
    id='info'>
  <query xmlns='urn:xmpp:tmp:tlsauth'/>
</iq>

<iq type='result'
    from='balconyscene at plays.shakespeare.lit'
    to='juliet at capulet.com/balcony'
    id='info'>
  <query xmlns='urn:xmpp:tmp:tlsauth'>
    <x509 fingerprint='certificate-fingerprint'/>
    <openpgp fingerprint='openpgp-fingerprint'/>
    <srp/>
  </query>
</iq>


Dirk

-- 
Smash forehead on keyboard to continue.....


More information about the Security mailing list