[Standards] UPDATED: XEP-0257 (Client Certificate Management for SASL EXTERNAL)

Johansson Olle E oej at edvina.net
Sun Feb 15 19:41:55 UTC 2009

13 feb 2009 kl. 13.45 skrev Dirk Meyer:

> Johansson Olle E wrote:
>> I think we should change the text about self-signed vs CA-signed that
>> is currently a bit ambigous. I know that Dirk's use case is not CA-
>> related, but I still think that the XEP should be more neutral and I
>> see a lot of use cases where a CA will be required.
> I added the text on request based on a discussion on the summit (with
> you?).
Yes, it was me :-)

> The only use case I could think of was a company internal use of
> XMPP. Maybe other use cases requiring a CA should be added to the
> beginning of the doc. Can you write down / outline some use cases?
Ok, I'll take that task and will write something up.

>> A recommendation for server developers would be to implement a model
>> where the admin can set a policy for the use of certificates for SASL
>> external:
>> - Only trusted certificates for bare JID certificates and any cert  
>> for
>> full JID ("bot") certificates
>> - Only trusted certificates for both bare JID and full JID  
>> certificates
>> - Any kind of certificate
>> From your other mail:
>> "A free public XMPP server MUST allow self-signed certificates and
>> certificatessigned by a CA unknown to the server."  (line 184)
>> I don't think this XEP is a good place to define policys and
>> definitions of "a free public XMPP server". That's outside of the
>> scope.  Adding a MUST here requires us to define "free public XMPP
>> server".
> Yes, I also don't like how I wrote it down. I wrote it because I guess
> most people will not have a certificate for all their devices.  
> Therefore
> I wanted to make sure that I can use self-signed certificates on  
> public
> servers such as xmpp.org.
I understand, we just have to be careful with how we write standards.
A MUST is a very strong policy.


More information about the Standards mailing list