Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt
Philipp Hancke <fippo@mail.symlynx.com> Wed, 20 October 2010 20:51 UTC
Return-Path: <fippo@mail.symlynx.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id B0F193A68D2; Wed, 20 Oct 2010 13:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RkIdP-Kj+zhE;
Wed, 20 Oct 2010 13:51:45 -0700 (PDT)
Received: from lo.psyced.org (lost.IN.psyced.org [188.40.42.221]) by
core3.amsl.com (Postfix) with ESMTP id D369F3A68C2;
Wed, 20 Oct 2010 13:51:44 -0700 (PDT)
Received: from [192.168.178.24] (p548BF91D.dip.t-dialin.net [84.139.249.29])
(authenticated bits=0) by lo.psyced.org (8.14.3/8.14.3/Debian-5+lenny1) with
ESMTP id o9KKr1j8009306 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA
bits=256 verify=NO); Wed, 20 Oct 2010 22:53:14 +0200
Message-ID: <4CBF56A9.1090503@mail.symlynx.com>
Date: Wed, 20 Oct 2010 22:52:57 +0200
From: Philipp Hancke <fippo@mail.symlynx.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
To: XMPP Working Group <xmpp@ietf.org>
References: <4CBF3310.8060801@stpeter.im>
In-Reply-To: <4CBF3310.8060801@stpeter.im>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 20 Oct 2010 13:52:45 -0700
Cc: certid@ietf.org
Subject: Re: [certid] [xmpp] Fwd: Fwd:
I-D Action:draft-saintandre-tls-server-id-check-10.txt
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2010 20:51:46 -0000
There is a minor problem with that from the XMPP-s2s POV: it does not (explicitly) cover the case where a server verifies the identity of a peer server (see rfc3920bis 6.2.4 or the s2s section of XEP 0178 for details). AFAICS, the only difference is that the reference identifier is supplied by the peer instead of being constructed as described in section 4.2. Therefore, I'd propose adding the following note to the end of section 4.1: Note: Some application protocols such as XMPP perform the procedure described in this section when verifiying a server identity in a certificate presented by a TLS client. By this, and in contrast to the procedure described in the next subsection, the reference identifier is supplied by the peer (TLS client). Except for this and the inverted client-server role, the verification process remains unchanged. cheers philipp
- [certid] Fwd: I-D Action:draft-saintandre-tls-ser… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Jim Schaad
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Philipp Hancke
- Re: [certid] [xmpp] Fwd: Fwd: I-D Action:draft-sa… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… Peter Saint-Andre
- Re: [certid] Fwd: I-D Action:draft-saintandre-tls… =JeffH