[Security] Reminder :: Draft feedback on "C2C authentication using TLS"

Dirk Meyer dmeyer at tzi.de
Mon Aug 25 05:10:05 CDT 2008


Pedro Melo wrote:
> Hi,
>
> On Aug 25, 2008, at 10:48 AM, Dirk Meyer wrote:
>
>> Jonathan Schleifer wrote:
>>> Am 24.08.2008 um 20:59 schrieb Dirk Meyer:
>>>
>>>> You could put the stuff I added as <offer> to the disco stuff. But
>>>> it
>>>> must also work serverless. And when I work link-local I can not use
>>>> disco#query before connecting.
>>>
>>> For link-local, we can just try. But opening a direct connection and
>>> then trying STARTTLS and failing - that'd be stupid. So therefore, we
>>> should check before opening a connection when we're not link-local.
>>
>> Looking at XEP-0030 I see nothing that fits. But we we use the rule
>> that a client ignores a tag if it does not know the namespace and that
>> you can add a tag everywhere I see two choices.
>>
>> The first one is to add the offer directly in disco#query:
>>
>> <iq type='result'
>>    from='balconyscene at plays.shakespeare.lit'
>>    to='juliet at capulet.com/balcony'
>>    id='info3'>
>>  <query xmlns='http://jabber.org/protocol/disco#info'>
>>    <identity .../>
>>    <feature var='http://jabber.org/protocol/disco#info'/>
>>    ...
>>    <feature var='urn:xmpp:tmp:tlsauth'>
>>      <offer xmlns='urn:xmpp:tmp:tlsauth'>
>>        <x509 fingerprint='certificate-fingerprint'/>
>>        <openpgp fingerprint='openpgp-fingerprint'/>
>>        <srp/>
>>      </offer>
>>    </feature>
>
>
> Why not use:
>
> <feature var='urn:xmpp:tmp:tlsauth' />
> <feature var='urn:xmpp:tmp:tlsauth:x509cert' />
> <feature var='urn:xmpp:tmp:tlsauth:pgpcert' />
> <feature var='urn:xmpp:tmp:tlsauth:srp' />
[...]
> Placing the signatures in the IQ-Disco itself would jeopardize the
> latest advancements in Capabilities caching, and that is a bigger loss
> than the overhead of fetching the signatures as a second step in the
> protocol.

You are right, fingerprints do not belong here. But your idea also
does not work because of the same reason. We may have the same client
but since I have no OpenPGP key, me client does not support it.


Dirk

-- 
The future ain't what it used to be.


More information about the Security mailing list