Re: [POSH] [xmpp] Comments/questions on draft-miller-posh-00
Dave Cridland <dave@cridland.net> Wed, 31 July 2013 09:09 UTC
Return-Path: <dave@cridland.net>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEB8111E8147 for <posh@ietfa.amsl.com>; Wed, 31 Jul 2013 02:09:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.327
X-Spam-Level:
X-Spam-Status: No, score=-1.327 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BLY5TcxIJHSY for <posh@ietfa.amsl.com>; Wed, 31 Jul 2013 02:09:44 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id 52CEC11E817E for <posh@ietf.org>; Wed, 31 Jul 2013 02:01:34 -0700 (PDT)
Received: by mail-la0-f49.google.com with SMTP id ev20so302228lab.22 for <posh@ietf.org>; Wed, 31 Jul 2013 02:01:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FWkkp9P/ywka76bKnBeAkdZiGAGloyWNgtHp6uwAGp0=; b=Bq9jtxZX50c0jsVIySUX/AIADjYZBIP8Yd+1YiX4+jFa/8bk78K0jq/Tas2P53gjCL N9CV5+zxX4XQTGfQ1cMJykdtByuXriKSa7bM+xJbp4wECKgct18svNwmrOWGBL5Yzdfp rdQinfLRgtlO8xM1iKWJfCUeD7hXqiAcogzr8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=FWkkp9P/ywka76bKnBeAkdZiGAGloyWNgtHp6uwAGp0=; b=bR3ptlug+C+TsT733fzSgUlqXZG2gEOSZdoZewrzXtaiU4WChbMWTKNSv9PpfEIaKI n4xlJdQOMXXrzNoUZ7jlrSa4TvLzqUvPhA/GEsRd4kynicVuDUaNS87eR1MARrDOAF/5 WgjMujnAkc+xzEEqnXvUXUJBIa7qmMlpd4NVhQaIENU0s1ti2pNnTmWd+XtABXtN3lXk sFqr3IXlhX1MUqE1ksdUxwMzD9+YXbjzNW+VM2RQ3hKErsjyvjwWadJ3I2BquJ1f0N+C 9KFwmkfRq303QjfhQ54nT29x1O72QJCL3lfFcFAUcn3zEfsqXsT4mPip1sF8i5StdFQZ 4EPQ==
MIME-Version: 1.0
X-Received: by 10.112.185.36 with SMTP id ez4mr6704224lbc.81.1375261280888; Wed, 31 Jul 2013 02:01:20 -0700 (PDT)
Received: by 10.114.184.137 with HTTP; Wed, 31 Jul 2013 02:01:20 -0700 (PDT)
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED9411EE55C3F@xmb-aln-x11.cisco.com>
References: <CAPms+wRR_ZtLq94mRCDVXEW9WyZeDmYx+1hU+zCXV1fT0GSZ+g@mail.gmail.com> <51F401CE.9080803@stpeter.im> <51F8C1CE.1010701@goodadvice.pages.de> <BF7E36B9C495A6468E8EC573603ED9411EE55C3F@xmb-aln-x11.cisco.com>
Date: Wed, 31 Jul 2013 10:01:20 +0100
Message-ID: <CAKHUCzzBssWF8vLq9dcdXnd5LsMt5S7xoo6J8QvXUhmQd5jtyA@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
Content-Type: multipart/alternative; boundary="001a11c3cc1c1ef7d604e2caf8e8"
X-Gm-Message-State: ALoCoQm2tQfKRm+fda8Am4bCppWlaTFLTZyBLKjIsCpZ3jnHXeUdt5fsybl0sVBDutGc639NuLjE
X-Mailman-Approved-At: Wed, 31 Jul 2013 03:36:24 -0700
Cc: Philipp Hancke <fippo@goodadvice.pages.de>, "<posh@ietf.org>" <posh@ietf.org>, XMPP Working Group <xmpp@ietf.org>
Subject: Re: [POSH] [xmpp] Comments/questions on draft-miller-posh-00
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2013 09:09:46 -0000
On Wed, Jul 31, 2013 at 9:18 AM, Matt Miller (mamille2) <mamille2@cisco.com>wrote: > I will note that there is general queasiness with suspending disbelief on > a connection, accepting the TLS handshake but then actually verifying (and > potentially failing) the connection because of TLS failings; not the least > of which is the potential for abuse is very very great. This also means > that any error reporting that one might get from their TLS implementations > for better error reporting is lost. > If there is queasiness here it's misplaced. The case for abuse here is predicated on the TLS handshake being the authorization, which it is not in any SASL based protocol. So in XMPP, we must already perform auth during the SASL exchange, and during the <db:result/>, too. If you have a protocol which conflates authentication and authorization, of course, then the situation is different.
- [POSH] Comments/questions on draft-miller-posh-00 Michael Procter
- Re: [POSH] Comments/questions on draft-miller-pos… Peter Saint-Andre
- Re: [POSH] Comments/questions on draft-miller-pos… Philipp Hancke
- Re: [POSH] Comments/questions on draft-miller-pos… Michael Procter
- Re: [POSH] Comments/questions on draft-miller-pos… Michael Procter
- Re: [POSH] Comments/questions on draft-miller-pos… Michael Procter
- Re: [POSH] Comments/questions on draft-miller-pos… Philipp Hancke
- Re: [POSH] Comments/questions on draft-miller-pos… Matt Miller (mamille2)
- Re: [POSH] [xmpp] Comments/questions on draft-mil… Dave Cridland
- Re: [POSH] [xmpp] Comments/questions on draft-mil… Peter Saint-Andre
- Re: [POSH] [xmpp] Comments/questions on draft-mil… Philipp Hancke