[Standards] UPDATED: XEP-0257 (Client Certificate Management for SASL EXTERNAL)

Johansson Olle E oej at edvina.net
Fri Feb 13 08:08:23 UTC 2009


12 feb 2009 kl. 18.03 skrev XMPP Extensions Editor:

> Version 0.2 of XEP-0257 (Client Certificate Management for SASL  
> EXTERNAL) has been released.
>
> Abstract: This specification defines a method to manage client  
> certificates that can be used with SASL External to allow clients to  
> log in without a password.
>
> Changelog: [See revision history] (dm)
>
> Diff: http://svn.xmpp.org:18080/browse/XMPP/trunk/extensions/xep-0257.xml?%40diffMode=u&%40diffWrap=s&r1=2598&r2=2730&u=3&ignore=&k=
>

I think we should change the text about self-signed vs CA-signed that  
is currently a bit ambigous. I know that Dirk's use case is not CA- 
related, but I still think
that the XEP should be more neutral and I see a lot of use cases where  
a CA will be required. It doesn't have to be a commercial CA, could be
the congersman-frog-who-signs-anything CA as well, but we have reasons  
to verify the certificate chain.

We could add a statement in the beginning about different models for  
trusting the certificates and then delete all references to whether  
the cert is
signed by a trusted party or self-signed from other parts of the  
document.

A recommendation for server developers would be to implement a model  
where the admin can set a policy for the use of certificates for SASL  
external:

- Only trusted certificates for bare JID certificates and any cert for  
full JID ("bot") certificates
- Only trusted certificates for both bare JID and full JID certificates
- Any kind of certificate

With trusted certificates we mean a certificate that can be securely  
verified by checking the CA chain to a trusted CA certificate.

/O



More information about the Standards mailing list