[Security] XEP-0189 Update Proposal Part 1
dmeyer at tzi.de
Sat Sep 6 14:54:57 CDT 2008
before updating the XML file I want to discuss changes to XEP-0189
Public Key Publishing here. This post/thread should be about keyinfo.
I want to replace KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig# to
something self-defined. xmlsig is very complicated and developers know
how to handle X.509 certificates in PEM format. There is also much
better support for that in SSL libraries. On the downside my proposal
is not so XMLish. This should also be used for XEP-0250.
Fingerprint is the fingerprint of the X.509 certificate. Evey SSL lib
should be able to provide this.
Certificate is the certificate in PEM format. If I understand it
correctly, the PEM format is the DER format encoded with Base64. The
BEGIN CERTIFICATE and END CERTIFACE stuff from PEM was removed.
The signature is created by calling the hash and sign function of my
TLS library on everything between <certificate> and </certificate>
without the whitespaces or line break. So, it is a signature of the
PEM encoded certificate. This signature was transformed to Base64
The signature is optional and there can be more than one signature.
Besides the certificate and the signature the keyinfo may also contain
<revoked/> or <expired/>. In that case the key should not be used
Besides X.509 OpenPGP should also be supported. I had not looked into
an implementation but I guess it would look similar. The signature is
outside the x509 element to make it possible to sign OpenPGP keys with
the the private key of a X.509 certificate and the other way around.
I do not know how this list handles attachments so I put some test
code to http://files.sachmittel.de/xep-0189.py
This code contains the certificates and private keys used in this
'The Geek shall inherit the earth.' - Linus 5:5
More information about the Security