[Standards] Any protocol to request encrypted connections?

Ian Paterson ian.paterson at clientside.co.uk
Mon Feb 5 19:04:05 UTC 2007


Matthias Wimmer wrote:
>> Well, and even when we verify the identity of the destination server, 
>> we don't verify that the destination server is properly routing the 
>> stanza to the intended recipient. But I'd think that encrypted 
>> sessions would help here.
>
> I don't want to address the usecases of e2e by my question. One of the 
> use-cases I have in mind is more light-weight. I thought, that you 
> might e.g. operate a company server, that can be accessed from the 
> public internet as well. But some of the data you send to your clients 
> should only be sent out, if the connection to the client is protected. 
> It would be helpful if the sender of such information/events could 
> just pass an indication, that this data should only be forwarded if 
> the destination is verified.

Is it sufficient for all communications to be encrypted and for the 
receiver's server to verify that the receiver is who the receiver's 
server thinks the receiver is? If so, then that is accomplished simply 
by verifying that only encrypted, authenticated s2s will be used, and 
that the receiver logged in using an encrypted session and some form of 
non-anonymous auth.

If you are saying that isn't enough, because you want proof of 
identity... then which identity? You're going to have to send the 
identity of the receiver to the receiver's server. (Otherwise how do you 
know that your idea of the identity of the receiver is the same as 
receiver's server's idea.) You're also going to have to give your server 
the identity of the receiver's server... might there be other hops you 
don't know about?

I know you're looking for something light-weight, but IMHO there isn't a 
simple solution, and you're totally dependant on none of the 
intermediaries having been compromised.

Once clients support e2e all these issues will be resolved.

- Ian




More information about the Standards mailing list