Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt
Peter Saint-Andre <stpeter@stpeter.im> Mon, 25 October 2010 12:12 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id A32FF3A69E2; Mon, 25 Oct 2010 05:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.567
X-Spam-Level:
X-Spam-Status: No, score=-102.567 tagged_above=-999 required=5 tests=[AWL=0.032,
BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XTZ57XTDQFJe;
Mon, 25 Oct 2010 05:12:22 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id 7521C3A6A0E; Mon, 25 Oct 2010 05:12:14 -0700 (PDT)
Received: from squire.local (dsl-179-124.dynamic-dsl.frii.net
[216.17.179.124]) (Authenticated sender: stpeter) by stpeter.im (Postfix)
with ESMTPSA id 9065D40D1E; Mon, 25 Oct 2010 06:21:42 -0600 (MDT)
Message-ID: <4CC5747E.4080006@stpeter.im>
Date: Mon, 25 Oct 2010 06:13:50 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.2.11) Gecko/20101013 Thunderbird/3.1.5
MIME-Version: 1.0
To: Philipp Hancke <fippo@mail.symlynx.com>
References: <4CBF3310.8060801@stpeter.im> <4CBF56A9.1090503@mail.symlynx.com>
In-Reply-To: <4CBF56A9.1090503@mail.symlynx.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms010200060906080708060001"
Cc: certid@ietf.org, XMPP Working Group <xmpp@ietf.org>
Subject: Re: [certid] [xmpp] Fwd:
Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2010 12:12:27 -0000
On 10/20/10 2:52 PM, Philipp Hancke wrote: > There is a minor problem with that from the XMPP-s2s POV: it does not > (explicitly) cover the case where a server verifies the identity of a > peer server (see rfc3920bis 6.2.4 or the s2s section of XEP 0178 for > details). > > AFAICS, the only difference is that the reference identifier is supplied > by the peer instead of being constructed as described in section 4.2. > > Therefore, I'd propose adding the following note to the end of section 4.1: > Note: Some application protocols such as XMPP perform the procedure > described in this section when verifiying a server identity in a > certificate presented by a TLS client. By this, and in contrast to the > procedure described in the next subsection, the reference identifier is > supplied by the peer (TLS client). Except for this and the inverted > client-server role, the verification process remains unchanged. Thanks for the proposed text. I suggest the following tweaks: Note: In some application protocols, the procedure described in this section can be performed by an application server acting as a TLS client when verifying a server-to-server connection, not only by an application client when verifying a client-to-server (e.g, this is true of XMPP). In this case, the application server verifies the identity of the peer server that is attempting to connect and thereore the reference identifier is in essence supplied by the peer server (e.g., as triggered by a request to send a message from an associated with the peer server to an entity associated with the application service). Other than the source of the reference identifier and the inverted roles of the TLS client and TLS server, the verification process remains unchanged. /psa
- [certid] Fwd: I-D Action:draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Jim Schaad
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… =JeffH