[Standards-JIG] Re: mutual auth with SASL

Peter Saint-Andre stpeter at jabber.org
Fri Jun 2 22:26:52 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Justin Karneges wrote:
> On Friday 02 June 2006 11:21, Peter Saint-Andre wrote:
>> Mutual authentication between client and server would also be cool.
> 
> I know you mean client X.509, but before anyone freaks out I just wanted to 
> say that we certainly have mutual authentication today.
> 
> Clients are able to authenticate to the server, we learn this in Jabber 
> kindergarten. :)  And the server can authenticate itself to the client, via 
> X.509.  These have been in common use for years.

Yes, I mean X.509 -- as in, the server can look into the certificate
presented by the client and pull out the user's JID.

>> first we need to better define client-side handling of end-user certs
>> (and other credentials).
> 
> I figured the RFC covered this well enough, but it can't hurt to be more 
> explicit.  What do you think is missing?

RFC 3920 is fine as far as it goes, but there are some implementation
questions. What are the best practices for presenting the certificate
chain (including intermediate certificate authorities)? What do you show
the user if a contact's cert is bound to an untrusted root? How do you
import end-user certificates? Probably we can look at how browsers and
email clients handle this stuff to come up with some recommendations.
That kind of thing might not belong in the RFC, but some guidelines or
best practices might help implementors.

Peter

- --
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEgLssNF1RSzyt3NURApe4AJ0Z0qs26AHP2L+QJdMSblazJAr9YQCgo4HV
1VpgJ6ugEgN6Umg1tR5CKwY=
=P4qW
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060602/48e845a0/attachment.bin>


More information about the Standards mailing list