[Security] Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing

Pavel Simerda pavlix at pavlix.net
Mon Sep 1 17:13:08 CDT 2008


On Sun, 31 Aug 2008 20:47:47 +0200
Dirk Meyer <dmeyer at tzi.de> wrote:

> Peter Saint-Andre wrote:
> > Dirk Meyer wrote:
> >> Peter wants to give XEP-0189 more love, I guess this is something
> >> that should be in it. Also the user/client keys. When he is back I
> >> can work with him to add all that stuff.
> >
> > Sure, let's do that. Or feel free to pull the XML out of SVN and
> > start working on it. :)
> 
> I just looked at it and PEP and some other XEPs and there are some
> things I do not like. Maybe these XEPs need a small update for this
> use-case.
> 
> 1. PEP says the last_item should only be send if the priority is not
>    negative. But all bots have a negative priority and will never get
>    the updates. Maybe an extra config option for PubSub/PEP: also send
>    to negative priority?

http://www.xmpp.org/extensions/xep-0060.html#filtered-notifications

No priority in PubSub.

In PEP:

"If a subscriber subscribed using a bare JID <localpart at domain.tld> and
a PEP service has appropriate presence information about the
subscriber, the PEP service MUST send one notification to the full JID
(<localpart at domain.tld/resource> or <domain.tld/resource>) of each of
the subscriber's available resources that have specified non-negative
presence priority and included XEP-0115 information that indicates an
interest in the data format."

I believe that if some resource indicates an interest, it should get
what it wants.

+1 for a change in the XEP

> 2. I like the fact that I get a notification when I start my client
>    when there is a new item (if it is configured that way). But I also
>    want to be notified when something was deleted (certificate
>    revoked). What I would like to have is that I get a notification
>    from the server that "something has changed since I was last
>    online" so I can get the whole tree of certificates.

You should not need to watch deleted item. Certificates are revoked,
not deleted, revocation could be just easily announced as a new item.

> Maybe move that discussion to the pubsub list? /me needs to subscribe
> to that list, too :)

Maybe, I'm not sure.

> And something else I also added a note in my XEP proposal about the
> TLS verification: how should keys look like. XEP-0189 now uses xmldsig
> which IMHO is very complicated. People now how a keys look in PEM
> format. Maybe just use this?
> 
> 
> Dirk
> 


-- 

Web: http://www.pavlix.net/
Jabber & Mail: pavlix(at)pavlix.net
OpenID: pavlix.net


More information about the Security mailing list