[Standards] UPDATED: XEP-0257 (Client Certificate Management for SASL EXTERNAL)
Johansson Olle E
oej at edvina.net
Fri Feb 13 08:08:23 UTC 2009
12 feb 2009 kl. 18.03 skrev XMPP Extensions Editor:
> Version 0.2 of XEP-0257 (Client Certificate Management for SASL
> EXTERNAL) has been released.
> Abstract: This specification defines a method to manage client
> certificates that can be used with SASL External to allow clients to
> log in without a password.
> Changelog: [See revision history] (dm)
> Diff: http://svn.xmpp.org:18080/browse/XMPP/trunk/extensions/xep-0257.xml?%40diffMode=u&%40diffWrap=s&r1=2598&r2=2730&u=3&ignore=&k=
I think we should change the text about self-signed vs CA-signed that
is currently a bit ambigous. I know that Dirk's use case is not CA-
related, but I still think
that the XEP should be more neutral and I see a lot of use cases where
a CA will be required. It doesn't have to be a commercial CA, could be
the congersman-frog-who-signs-anything CA as well, but we have reasons
to verify the certificate chain.
We could add a statement in the beginning about different models for
trusting the certificates and then delete all references to whether
the cert is
signed by a trusted party or self-signed from other parts of the
A recommendation for server developers would be to implement a model
where the admin can set a policy for the use of certificates for SASL
- Only trusted certificates for bare JID certificates and any cert for
full JID ("bot") certificates
- Only trusted certificates for both bare JID and full JID certificates
- Any kind of certificate
With trusted certificates we mean a certificate that can be securely
verified by checking the CA chain to a trusted CA certificate.
More information about the Standards