[Standards] Proposed XMPP Extension: Remote Authentication

Dave Cridland dave at cridland.net
Thu Dec 2 17:06:28 UTC 2010


On Thu Dec  2 15:47:04 2010, Peter Saint-Andre wrote:
> Another idea: client auto-generates a cert for me and I register it  
> with
> my server when I register an account (or after the first login).

If you're reliant on the server to "vouch" for your public key (which  
is all the certificate is, here), then you're effectively treating  
the server as a kind of quasi-CA - it is asserting that the  
certificate is yours.

It also means that remote entities must:

a) Trust your server to make that assertion.

b) Authenticate your server.

However, both are essentially true anyway, aren't they?

We assume that if the server jabber.org says a stanza is from  
stpeter at jabber.org, then it's being honest, and we assume that a  
server really is jabber.org and able to make that assertion by  
authenticating it (either with X.509 or DNS, whichever our server  
trusts).

So my general feeling here is that in terms of authentication, such a  
pattern actually gains us nothing. It intuitively *feels* like it  
should, of course, but I can't see what it does actually gain.

(FWIW, I wondered for some time about clients generating a CSR and  
having servers actually be PKIX CAs, but that equally gains nothing,  
except adding lots more exciting-looking X.509).

Of course, if the certificate is signed by a trusted party (ie, a  
real CA), then everything changes - the server cannot advertise a  
false certificate any longer, so the situation is entirely different.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list