Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt
Peter Saint-Andre <stpeter@stpeter.im> Wed, 03 November 2010 22:59 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 617DB3A68F7; Wed, 3 Nov 2010 15:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.266
X-Spam-Level:
X-Spam-Status: No,
score=-102.266 tagged_above=-999 required=5 tests=[AWL=-0.267, BAYES_00=-2.599,
J_CHICKENPOX_83=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fGxfFD8rGAgU;
Wed, 3 Nov 2010 15:59:06 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id 2F1973A67FE; Wed, 3 Nov 2010 15:59:06 -0700 (PDT)
Received: from squire.local (dsl-228-82.dynamic-dsl.frii.net [216.17.228.82])
(Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id
528CA40D1E; Wed, 3 Nov 2010 17:07:56 -0600 (MDT)
Message-ID: <4CD1E93F.2050501@stpeter.im>
Date: Wed, 03 Nov 2010 16:59:11 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Philipp Hancke <fippo@mail.symlynx.com>
References: <4CBF3310.8060801@stpeter.im> <4CBF56A9.1090503@mail.symlynx.com>
<4CC5747E.4080006@stpeter.im> <4CC5897C.3080600@stpeter.im>
<4CCEA426.8060003@mail.symlynx.com>
In-Reply-To: <4CCEA426.8060003@mail.symlynx.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms060304030105080805010304"
Cc: certid@ietf.org, XMPP Working Group <xmpp@ietf.org>
Subject: Re: [certid] [xmpp] Fwd:
Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2010 22:59:07 -0000
On 11/1/10 5:27 AM, Philipp Hancke wrote:
> Peter Saint-Andre wrote:
> [...]
>> Oops, there were some typos and missing words. That's what I get for
>> replying to email while eating breakfast at 6 AM. Corrected text:
>>
>> ###
>>
>> Note: In some application protocols, the procedure described in
>> this section can be performed by an application server acting as a
>> TLS client when verifying a server-to-server connection, not only by
>
> s/TLS client/TLS server/
In XMPP at least, if Romeo's personal server (montague.lit) attempts to
connect to Juliet's personal server (capulet.lit), he asserts to her
that he is montague.lit and she takes that as her reference identifier.
Thus her server is acting as a TLS client in relation to the presented
identifiers in the certificate that Romeo's personal server provides.
This is what's distinctive about the server-to-server case -- an
application service is acting as a TLS client.
>> an application client when verifying a client-to-server connection
>> (e.g, this is true of XMPP). In this case, the application server
>> verifies the identity of the peer server that is attempting to
>> connect and therefore the reference identifier is in essence
>> supplied by the peer server (e.g., as triggered by a request to send
>> a message from an entity associated with the peer server to an
>
> I think it is not clear who is verifying
If you try to connect to me, I'm going to verify you -- even if I'm an
XMPP server.
> (probably because both parties
> are for xmpp-s2s).
Yes, ideally the verification happens in both directions.
> What about:
>
> In some application protocols, the procedure described in this section
> can also be performed by an application server when verifying a incoming
> [server-to-server?] connection from a peer, not only when verifying an
> outgoing connection (e.g., this is true for XMPP).
> In this case, the application server, acting as a TLS server, verifies
> the identity of the TLS client and the reference identifier is in
> essence supplied by the peer [...]
>
> [where the peer server is the TLS client]
I think the peer server is the TLS server and the application service is
the TLS client.
>> entity associated with the application service). Other than the
>> source of the reference identifier and the inverted roles of the TLS
>> client and TLS server, the verification process remains unchanged.
>
> +1
I suggest the following modified text:
Note: In some application protocols (e.g., XMPP), the procedure
described in this section can be performed by an application
server acting as a TLS client when verifying an incoming server-
to-server connection, not only by an application client acting as
a TLS client when verifying the server with which it is
interacting to establish an outgoing client-to-server connection.
In this case, the application server verifies the identity of the
peer server that is attempting to connect and uses as its
reference identifier the DNS domain name asserted by the peer
server (e.g., as triggered by a request to send a message from an
entity associated with the peer server to an entity associated
with the application service). Other than the source of the
reference identifier and the fact that an application service is
acting as a TLS client, the verification process remains
unchanged.
/psa
- [certid] Fwd: I-D Action:draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Jim Schaad
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… =JeffH