[Standards] XMPP and W3C Digital Signature Specification
dave at cridland.net
Sat Apr 5 22:21:53 UTC 2008
On Wed Apr 2 16:53:27 2008, Boyd Fletcher wrote:
> Over the last couple of years we have discussed various approaches
> to add
> digital signature support to XMPP that did not violate the XML
> nature of
> XMPP like RFC3923. We would like to propose a method of using W3C¹s
> Digital Signature specification. Below is description of how we use
> the W3C
> spec with XMPP. We have been using this approach for about 3 years
> and it
> seems to work quite well though it is a bit expensive in terms of
> size but with digital signatures, I¹m not sure that can be avoided.
> We are curious what other people think and if its worth moving
> forward with
> a XEP to formally describe the approach.
FX: Shuffling of hats - this is mostly as an Isode guy.
Based on a quick skim.
Internally at Isode, we have been tossing back and forth the idea of
using XTLS to provide end-to-end authentication via X.509
authenticated TLS channels. These need not be encrypted, but could
have integrity. The benefit here is that it dissociates the stanza
from the signature, and removes canonicalization, both of which are
quite nice. We need integrity-protected, authenticated channels
and/or stanzas for security labelling, as in our recent whitepaper.
On the other hand, this is probably a better mechanism, assuming that
sufficient implementation peices exist, and we're perfectly willing
to aim for this if possible.
It occurs to me that if the basic signature details (ie, everything
bar the ds:SignatureValue) used some other path, this might well be
preferable. XEP-0155 and/or Disco strike me as possible methods here.
These might reduce the size of the stanzas.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards