[Security] Reminder :: Draft feedback on "C2C authentication using TLS"

Pedro Melo melo at simplicidade.org
Mon Aug 25 05:02:43 CDT 2008


Hi,

On Aug 25, 2008, at 10:48 AM, Dirk Meyer wrote:

> Jonathan Schleifer wrote:
>> Am 24.08.2008 um 20:59 schrieb Dirk Meyer:
>>
>>> You could put the stuff I added as <offer> to the disco stuff. But  
>>> it
>>> must also work serverless. And when I work link-local I can not use
>>> disco#query before connecting.
>>
>> For link-local, we can just try. But opening a direct connection and
>> then trying STARTTLS and failing - that'd be stupid. So therefore, we
>> should check before opening a connection when we're not link-local.
>
> Looking at XEP-0030 I see nothing that fits. But we we use the rule
> that a client ignores a tag if it does not know the namespace and that
> you can add a tag everywhere I see two choices.
>
> The first one is to add the offer directly in disco#query:
>
> <iq type='result'
>    from='balconyscene at plays.shakespeare.lit'
>    to='juliet at capulet.com/balcony'
>    id='info3'>
>  <query xmlns='http://jabber.org/protocol/disco#info'>
>    <identity .../>
>    <feature var='http://jabber.org/protocol/disco#info'/>
>    ...
>    <feature var='urn:xmpp:tmp:tlsauth'>
>      <offer xmlns='urn:xmpp:tmp:tlsauth'>
>        <x509 fingerprint='certificate-fingerprint'/>
>        <openpgp fingerprint='openpgp-fingerprint'/>
>        <srp/>
>      </offer>
>    </feature>


Why not use:

<feature var='urn:xmpp:tmp:tlsauth' />
<feature var='urn:xmpp:tmp:tlsauth:x509cert' />
<feature var='urn:xmpp:tmp:tlsauth:pgpcert' />
<feature var='urn:xmpp:tmp:tlsauth:srp' />

to announce support, and then pick your preferred protocol to get the  
signatures via PubSub. A fallback mechanism like a basic IQ-get or  
your own proposal to use disco#items could also be interesting. It  
would get us over the servers who do not offer pubsub, like GTalk for  
example.

Placing the signatures in the IQ-Disco itself would jeopardize the  
latest advancements in Capabilities caching, and that is a bigger loss  
than the overhead of fetching the signatures as a second step in the  
protocol.

Best regards,
-- 
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org
Use XMPP!




More information about the Security mailing list