[Standards] XMPP Certificate checking algorithm

Shumon Huque shuque at isc.upenn.edu
Thu Feb 21 23:11:45 UTC 2008


On Thu, Feb 21, 2008 at 02:45:56PM -0800, Justin Karneges wrote:
> On Thursday 21 February 2008 1:02 pm, Shumon Huque wrote:
> > On Thu, Feb 21, 2008 at 12:58:03PM -0800, Justin Karneges wrote:
> > > On Thursday 21 February 2008 9:49 am, Peter Saint-Andre wrote:
> > > > First let's take Shumon's example of upenn.edu, which resolves via SRV
> > > > to jabber.upenn.edu. In this case, the certificate would include an
> > > > SRVName of _xmpp.jabber.upenn.edu, which would help the connecting
> > > > client (or server) to know that jabber.upenn.edu is the authorized
> > > > domain for connecting to the canonical XMPP service at upenn.edu (e.g.,
> > > > thus knowing that the DNS SRV lookup did not return poisoned results).
> > >
> > > This is not my understanding.
> > >
> > > If I resolve SRV for _xmpp-client._tcp.upenn.edu and receive
> > > jabber.attacker.com as a result, and then I connect to
> > > jabber.attacker.com and receive a certificate containing SRVName of
> > > _xmpp-client.jabber.attacker.com, then I don't see the security
> > > improvement.
> >
> > No, you'd be expecting to see SRVName of _xmpp-client.upenn.edu.
> 
> Exactly, which is what I went on to say. :)
> 
> -Justin

Ah right, thanks! I clearly didn't read Peter's quoted paragraph
properly! Then we are in agreement Justin :-)

--Shumon.



More information about the Standards mailing list