[Security] Reminder :: Draft feedback on "C2C authentication using TLS"
dmeyer at tzi.de
Mon Aug 25 05:10:05 CDT 2008
Pedro Melo wrote:
> On Aug 25, 2008, at 10:48 AM, Dirk Meyer wrote:
>> Jonathan Schleifer wrote:
>>> Am 24.08.2008 um 20:59 schrieb Dirk Meyer:
>>>> You could put the stuff I added as <offer> to the disco stuff. But
>>>> must also work serverless. And when I work link-local I can not use
>>>> disco#query before connecting.
>>> For link-local, we can just try. But opening a direct connection and
>>> then trying STARTTLS and failing - that'd be stupid. So therefore, we
>>> should check before opening a connection when we're not link-local.
>> Looking at XEP-0030 I see nothing that fits. But we we use the rule
>> that a client ignores a tag if it does not know the namespace and that
>> you can add a tag everywhere I see two choices.
>> The first one is to add the offer directly in disco#query:
>> <iq type='result'
>> from='balconyscene at plays.shakespeare.lit'
>> to='juliet at capulet.com/balcony'
>> <query xmlns='http://jabber.org/protocol/disco#info'>
>> <identity .../>
>> <feature var='http://jabber.org/protocol/disco#info'/>
>> <feature var='urn:xmpp:tmp:tlsauth'>
>> <offer xmlns='urn:xmpp:tmp:tlsauth'>
>> <x509 fingerprint='certificate-fingerprint'/>
>> <openpgp fingerprint='openpgp-fingerprint'/>
> Why not use:
> <feature var='urn:xmpp:tmp:tlsauth' />
> <feature var='urn:xmpp:tmp:tlsauth:x509cert' />
> <feature var='urn:xmpp:tmp:tlsauth:pgpcert' />
> <feature var='urn:xmpp:tmp:tlsauth:srp' />
> Placing the signatures in the IQ-Disco itself would jeopardize the
> latest advancements in Capabilities caching, and that is a bigger loss
> than the overhead of fetching the signatures as a second step in the
You are right, fingerprints do not belong here. But your idea also
does not work because of the same reason. We may have the same client
but since I have no OpenPGP key, me client does not support it.
The future ain't what it used to be.
More information about the Security