[Standards-JIG] Re: mutual auth with SASL

Peter Saint-Andre stpeter at jabber.org
Fri Jun 2 22:26:52 UTC 2006

Hash: SHA1

Justin Karneges wrote:
> On Friday 02 June 2006 11:21, Peter Saint-Andre wrote:
>> Mutual authentication between client and server would also be cool.
> I know you mean client X.509, but before anyone freaks out I just wanted to 
> say that we certainly have mutual authentication today.
> Clients are able to authenticate to the server, we learn this in Jabber 
> kindergarten. :)  And the server can authenticate itself to the client, via 
> X.509.  These have been in common use for years.

Yes, I mean X.509 -- as in, the server can look into the certificate
presented by the client and pull out the user's JID.

>> first we need to better define client-side handling of end-user certs
>> (and other credentials).
> I figured the RFC covered this well enough, but it can't hurt to be more 
> explicit.  What do you think is missing?

RFC 3920 is fine as far as it goes, but there are some implementation
questions. What are the best practices for presenting the certificate
chain (including intermediate certificate authorities)? What do you show
the user if a contact's cert is bound to an untrusted root? How do you
import end-user certificates? Probably we can look at how browsers and
email clients handle this stuff to come up with some recommendations.
That kind of thing might not belong in the RFC, but some guidelines or
best practices might help implementors.


- --
Peter Saint-Andre
Jabber Software Foundation

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060602/48e845a0/attachment.bin>

More information about the Standards mailing list