[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]

Jonathan Chayce Dickinson chayce.za at gmail.com
Wed Sep 12 07:31:33 UTC 2007


Or, alternatively, what I said before, is that the SSL/TLS be two way, that
is both the client and the server present certificates (SASL EXTERNAL).
Certificates are freely available from start.com, so that needn't be an
issue for the client. We just need the mainstream servers, like JAIM and J.O
to implement it: and then everyone will catch on.

This also runs along with the SPIMming issue from a while back. As I said,
if a client is misbehaving you simply report it to the CA and get the
certificate revoked. That would be a huge pain for SPIMmers, they can make
accounts as they see fit, but not certificates.

In the case of a SPIMmer having their own server, we could try something
like the following (the server NEVER authenticates itself with other
servers, rather, the client certificate is used for that):

* John connects to j.o with his certificate.
* He wants to send a message to Fred in jaim.org.
* Jaim.org sends a SASL EXTERNAL request to j.o, which forwards it to John.
* John sends his certificate to j.o, which then forwards it to jaim.org.
* Jaim.org checks his certificate against his CA.
* John, and not j.o, is now authenticated on Jaim.org.




More information about the Standards mailing list