[Summit] The S2S discussion

Joe Hildebrand hildjj at gmail.com
Mon Jul 20 19:38:06 CDT 2009


The steps we just talked about:

Assume example.com is being hosted by google.com, and example.net  
wants to connect to example.com.

1) Look up _xmpp-server._tcp.example.com -> talk.google.com:5269
2) TCP connect, start-tls, server offers certificate foo.google.com  
(just for clarity, but SHOULD be talk.google.com)
3) X.509 verify is ok (times, CA signature, etc.), everything but  
subject
4) If TLS authorization had worked (cert subject matched example.com),  
skip to step 10
5) If SRV record had been DNSSEC signed, and cert matched  
talk.google.com, skip to step 10
6) Responder puts <assert from='example.com'/> in stream features
7) Initiator says "prove that you're example.com":
<prove-it to='example.com' from='example.net' id='prove1'/>
8) Responder says:
<proof from='example.com' to='example.net' id='prove1'>
Base64(PKCS12(Attribute Cert(
XMPP-Delegation: foo.google.com
proof revocation list: http://...
Full chain of certs to trust anchor that initiator trusts
)))
</proof>
9) verify proof (validity, chain, revocation, etc.) <fail/> if not,  
(NOT FATAL to connection)
10) Initiator sends: <asserted/>
11) Initiator claims example.net (takes place of dialback and/or SASL  
EXTERNAL)
<assert from='example.net' to='example.com' id='assert1'/>
12) If responder doesn't trust cert from initator:
<prove-it/>
<proof/> (or <go-fish/>)
13) responder says:
<asserted/>




More information about the Summit mailing list