[Standards] XMPP Certificate checking algorithm

Peter Saint-Andre stpeter at stpeter.im
Fri Mar 21 20:54:54 UTC 2008

Shumon Huque wrote:
> On Thu, Feb 21, 2008 at 12:58:03PM -0800, Justin Karneges wrote:
>> On Thursday 21 February 2008 9:49 am, Peter Saint-Andre wrote:
>>> First let's take Shumon's example of upenn.edu, which resolves via SRV
>>> to jabber.upenn.edu. In this case, the certificate would include an
>>> SRVName of _xmpp.jabber.upenn.edu, which would help the connecting
>>> client (or server) to know that jabber.upenn.edu is the authorized
>>> domain for connecting to the canonical XMPP service at upenn.edu (e.g.,
>>> thus knowing that the DNS SRV lookup did not return poisoned results).
>> This is not my understanding.
>> If I resolve SRV for _xmpp-client._tcp.upenn.edu and receive 
>> jabber.attacker.com as a result, and then I connect to jabber.attacker.com 
>> and receive a certificate containing SRVName of 
>> _xmpp-client.jabber.attacker.com, then I don't see the security improvement.
> No, you'd be expecting to see SRVName of _xmpp-client.upenn.edu.

_xmpp.upenn.edu or xmpp_.upenn.edu?

> Presumably the operator of jabber.attacker.com would not be able
> to persuade a reputable CA to issue him a certificate with
> _xmpp-client.upenn.edu populated in the SRVName field.

You'd hope so. :)


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20080321/aa6fceeb/attachment.bin>

More information about the Standards mailing list