[Standards-JIG] Re: mutual auth with SASL
stpeter at jabber.org
Fri Jun 2 22:26:52 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Justin Karneges wrote:
> On Friday 02 June 2006 11:21, Peter Saint-Andre wrote:
>> Mutual authentication between client and server would also be cool.
> I know you mean client X.509, but before anyone freaks out I just wanted to
> say that we certainly have mutual authentication today.
> Clients are able to authenticate to the server, we learn this in Jabber
> kindergarten. :) And the server can authenticate itself to the client, via
> X.509. These have been in common use for years.
Yes, I mean X.509 -- as in, the server can look into the certificate
presented by the client and pull out the user's JID.
>> first we need to better define client-side handling of end-user certs
>> (and other credentials).
> I figured the RFC covered this well enough, but it can't hurt to be more
> explicit. What do you think is missing?
RFC 3920 is fine as far as it goes, but there are some implementation
questions. What are the best practices for presenting the certificate
chain (including intermediate certificate authorities)? What do you show
the user if a contact's cert is bound to an untrusted root? How do you
import end-user certificates? Probably we can look at how browsers and
email clients handle this stuff to come up with some recommendations.
That kind of thing might not belong in the RFC, but some guidelines or
best practices might help implementors.
Jabber Software Foundation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards