[Standards-JIG] XMPP trust diameter

Hal Rottenberg halr9000 at gmail.com
Wed May 24 17:46:13 UTC 2006


On 5/24/06, Jean-Louis Seguineau <jean-louis.seguineau at laposte.net> wrote:
> I have seen many times on the list that XMPP is providing a greater level of
> trust than other communication protocol. XMPP certainly claim a stronger
> authentication than many others by the support of SASL and/or TLS.

Careful, don't mix your terms here.  Trust != Authentication.  Also
SASL and TLS are used to authenticate to a server, not another person.

> My question to the list is: how far can the trust established on a user home
> server be extended outside this server. Or put another way, once I cross an
> s2s link, what remains of my initial trust, and how does it decrease with
> the number of linked crossed?

When hops > 1 trust = 0 in practical terms.  For example, most people
agree that you can trust that a top-level CA has gone through some
effort (and $$) to obtain that root certificate.  What does that mean?
 It just means that we know who that entity is.  I'm not aware of what
level of authenticity the CAs demand, but I do know that nothing is
mandated by law (not that I'm proposing that it should be, eh Peter?).
 So what you have is a group of companies who have their own rules
about who can join.  Ok, this is starting to sound political even to
my ears but I'm really not trying to go there.

My point is this: TLS isn't a web-of-trust model, it's a hierarchical
model.  If you trust the guy at the top, you "have" to trust everyone
below.

The closest thing that we have to trust in XMPP now would be JEP-0027
[1], and that's just PGP/GPG bolted on top.  I don't believe its in
very wide usage.  (I should do a Psi user poll...)

Besides, there is nothing in XMPP that tells me how the other end of
the conversation authenticated.  For all I know it uses anonymous SASL
and I'm speaking to a random visitor to a website who chose the nick
that I see in my chat window.  Or it could be some guy telnetting to
port 5222!

I hope this helps to answer your questions.  :)

[1]: http://www.jabber.org/jeps/jep-0027.html


-- 
Psi webmaster (http://psi-im.org)
im:hal at jabber.rocks.cc
http://halr9000.com



More information about the Standards mailing list