[Security] Reminder :: Draft feedback on "C2C authentication using TLS"

Dirk Meyer dmeyer at tzi.de
Mon Aug 25 05:05:19 CDT 2008


Jonathan Schleifer wrote:
> Am 25.08.2008 um 11:48 schrieb Dirk Meyer:
>
>> The other idea is to use disco#items .... while wanting to write down
>> an example I noticed that this would be a very bad hack. We could also
>> create our own query in the urn:xmpp:tmp:tlsauth namespace:
>>
>> <iq type='get'
>>    from='juliet at capulet.com/balcony'
>>    to='balconyscene at plays.shakespeare.lit'
>>    id='info'>
>>  <query xmlns='urn:xmpp:tmp:tlsauth'/>
>> </iq>
>>
>> <iq type='result'
>>    from='balconyscene at plays.shakespeare.lit'
>>    to='juliet at capulet.com/balcony'
>>    id='info'>
>>  <query xmlns='urn:xmpp:tmp:tlsauth'>
>>    <x509 fingerprint='certificate-fingerprint'/>
>>    <openpgp fingerprint='openpgp-fingerprint'/>
>>    <srp/>
>>  </query>
>> </iq>
>
> We should have it in items IMO, so we can easily check and
> autonegotiate.
> We could just have entries there for every verification mechanism we
> support. Like urn:xmpp:c2ctls, urn:xmpp:c2ctls:x509,
> urn:xmpp:c2ctls:sas etc.

But where to put the fingerprint? IMHO that is needed to know if we
can use that mechanism. The information that the other side supports
X.509 is useless when I have no way to verify the key. The only option
I see it the 'name':

 <item jid='urn:xmpp:c2ctls:x509'
          name='fingerprint'/>

Looks kind of strange. On the other hand, the fingerprint is some sort
of name of the certificate.


Dirk

-- 
The sum of society's intelligence is less than the average of it's
individual parts.


More information about the Security mailing list