[xmppwg] Review of draft-meyer-xmpp-sasl-cert-management-01

Eric Rescorla ekr at rtfm.com
Fri Mar 20 12:18:38 CDT 2009

This document describes a set of mechanisms for using certificate-based
TLS client authentication between XMPP clients and servers. In particular,
it allows a user who has already authenticated to add, remove, etc.
new certificates to be used for future authentications. Generally,
this seems like a sound idea--indeed one that is so useful it might
be nice to put it in SASL or something so it could be reused by
other protocols. Comments below.

S 3.
I think it's important to be clear on what role certificates are playing
here. As far as I can tell, they're basically being used as a key
carrier, because that's what TLS requires. Accordingly, the rest
of the contents of the cert aren't really that important, just
the public key. In fact, a digest of the cert/public key would
be enough. Is there some other concept in play? If not, I would
remove all these requirements about what's in the subject alt name.

S 5.
There needs to be a requirement that this happen over TLS, no?

You probably need to specify what goes in the CertificateRequest,
since that's intended to include CAs but there won't be any
here. Probably empty...

Again, I think it's a mistake to look in the certificate for the
user name. that should just be associated with the account.

S 6.
<Why specify SHA-1 as the only digest?

S 7.
Again, why does expiration matter here?

S 8.
This may be quite hard to implement if, for instance, servers
fork for each client.

More information about the xmppwg mailing list