[Standards] XMPP and W3C Digital Signature Specification

Dave Cridland dave at cridland.net
Sat Apr 5 22:21:53 UTC 2008

On Wed Apr  2 16:53:27 2008, Boyd Fletcher wrote:
> Over the last couple of years we have discussed various approaches  
> to add
> digital signature support to XMPP that did not violate the XML  
> nature of
> XMPP like RFC3923. We would like to propose a method of using W3C¹s  
> Digital Signature specification. Below is description of how we use  
> the W3C
> spec with XMPP. We have been using this approach for about 3 years  
> and it
> seems to work quite well though it is a bit expensive in terms of  
> message
> size but with digital signatures, I¹m not sure that can be avoided.
> We are curious what other people think and if its worth moving  
> forward with
> a XEP to formally describe the approach.

FX: Shuffling of hats - this is mostly as an Isode guy.

Based on a quick skim.

Internally at Isode, we have been tossing back and forth the idea of  
using XTLS to provide end-to-end authentication via X.509  
authenticated TLS channels. These need not be encrypted, but could  
have integrity. The benefit here is that it dissociates the stanza  
from the signature, and removes canonicalization, both of which are  
quite nice. We need integrity-protected, authenticated channels  
and/or stanzas for security labelling, as in our recent whitepaper.

On the other hand, this is probably a better mechanism, assuming that  
sufficient implementation peices exist, and we're perfectly willing  
to aim for this if possible.

It occurs to me that if the basic signature details (ie, everything  
bar the ds:SignatureValue) used some other path, this might well be  
preferable. XEP-0155 and/or Disco strike me as possible methods here.  
These might reduce the size of the stanzas.

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Standards mailing list