[Security] Reminder :: Draft feedback on "C2C authentication using TLS"
melo at simplicidade.org
Mon Aug 25 05:02:43 CDT 2008
On Aug 25, 2008, at 10:48 AM, Dirk Meyer wrote:
> Jonathan Schleifer wrote:
>> Am 24.08.2008 um 20:59 schrieb Dirk Meyer:
>>> You could put the stuff I added as <offer> to the disco stuff. But
>>> must also work serverless. And when I work link-local I can not use
>>> disco#query before connecting.
>> For link-local, we can just try. But opening a direct connection and
>> then trying STARTTLS and failing - that'd be stupid. So therefore, we
>> should check before opening a connection when we're not link-local.
> Looking at XEP-0030 I see nothing that fits. But we we use the rule
> that a client ignores a tag if it does not know the namespace and that
> you can add a tag everywhere I see two choices.
> The first one is to add the offer directly in disco#query:
> <iq type='result'
> from='balconyscene at plays.shakespeare.lit'
> to='juliet at capulet.com/balcony'
> <query xmlns='http://jabber.org/protocol/disco#info'>
> <identity .../>
> <feature var='http://jabber.org/protocol/disco#info'/>
> <feature var='urn:xmpp:tmp:tlsauth'>
> <offer xmlns='urn:xmpp:tmp:tlsauth'>
> <x509 fingerprint='certificate-fingerprint'/>
> <openpgp fingerprint='openpgp-fingerprint'/>
Why not use:
<feature var='urn:xmpp:tmp:tlsauth' />
<feature var='urn:xmpp:tmp:tlsauth:x509cert' />
<feature var='urn:xmpp:tmp:tlsauth:pgpcert' />
<feature var='urn:xmpp:tmp:tlsauth:srp' />
to announce support, and then pick your preferred protocol to get the
signatures via PubSub. A fallback mechanism like a basic IQ-get or
your own proposal to use disco#items could also be interesting. It
would get us over the servers who do not offer pubsub, like GTalk for
Placing the signatures in the IQ-Disco itself would jeopardize the
latest advancements in Capabilities caching, and that is a bigger loss
than the overhead of fetching the signatures as a second step in the
XMPP ID: melo at simplicidade.org
More information about the Security