[Security] Reminder :: Draft feedback on "C2C authentication using TLS"
Dirk Meyer
dmeyer at tzi.de
Mon Aug 25 05:10:05 CDT 2008
Pedro Melo wrote:
> Hi,
>
> On Aug 25, 2008, at 10:48 AM, Dirk Meyer wrote:
>
>> Jonathan Schleifer wrote:
>>> Am 24.08.2008 um 20:59 schrieb Dirk Meyer:
>>>
>>>> You could put the stuff I added as <offer> to the disco stuff. But
>>>> it
>>>> must also work serverless. And when I work link-local I can not use
>>>> disco#query before connecting.
>>>
>>> For link-local, we can just try. But opening a direct connection and
>>> then trying STARTTLS and failing - that'd be stupid. So therefore, we
>>> should check before opening a connection when we're not link-local.
>>
>> Looking at XEP-0030 I see nothing that fits. But we we use the rule
>> that a client ignores a tag if it does not know the namespace and that
>> you can add a tag everywhere I see two choices.
>>
>> The first one is to add the offer directly in disco#query:
>>
>> <iq type='result'
>> from='balconyscene at plays.shakespeare.lit'
>> to='juliet at capulet.com/balcony'
>> id='info3'>
>> <query xmlns='http://jabber.org/protocol/disco#info'>
>> <identity .../>
>> <feature var='http://jabber.org/protocol/disco#info'/>
>> ...
>> <feature var='urn:xmpp:tmp:tlsauth'>
>> <offer xmlns='urn:xmpp:tmp:tlsauth'>
>> <x509 fingerprint='certificate-fingerprint'/>
>> <openpgp fingerprint='openpgp-fingerprint'/>
>> <srp/>
>> </offer>
>> </feature>
>
>
> Why not use:
>
> <feature var='urn:xmpp:tmp:tlsauth' />
> <feature var='urn:xmpp:tmp:tlsauth:x509cert' />
> <feature var='urn:xmpp:tmp:tlsauth:pgpcert' />
> <feature var='urn:xmpp:tmp:tlsauth:srp' />
[...]
> Placing the signatures in the IQ-Disco itself would jeopardize the
> latest advancements in Capabilities caching, and that is a bigger loss
> than the overhead of fetching the signatures as a second step in the
> protocol.
You are right, fingerprints do not belong here. But your idea also
does not work because of the same reason. We may have the same client
but since I have no OpenPGP key, me client does not support it.
Dirk
--
The future ain't what it used to be.
More information about the Security
mailing list