Re: [POSH] Comments/questions on draft-miller-posh-00
Michael Procter <michael@voip.co.uk> Mon, 29 July 2013 10:25 UTC
Return-Path: <michael@voip.co.uk>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F1E321F9EB3 for <posh@ietfa.amsl.com>; Mon, 29 Jul 2013 03:25:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RQS9oMlQ3E7 for <posh@ietfa.amsl.com>; Mon, 29 Jul 2013 03:25:44 -0700 (PDT)
Received: from na3sys009aog114.obsmtp.com (na3sys009aog114.obsmtp.com [74.125.149.211]) by ietfa.amsl.com (Postfix) with SMTP id DFD3C21F9981 for <posh@ietf.org>; Mon, 29 Jul 2013 03:25:43 -0700 (PDT)
Received: from mail-wg0-f43.google.com ([74.125.82.43]) (using TLSv1) by na3sys009aob114.postini.com ([74.125.148.12]) with SMTP ID DSNKUfZDGzq2RlGU0kS5FkUlrcYfdFtkxbMB@postini.com; Mon, 29 Jul 2013 03:25:44 PDT
Received: by mail-wg0-f43.google.com with SMTP id z12so4637670wgg.34 for <posh@ietf.org>; Mon, 29 Jul 2013 03:25:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=YaiFohOZnXzxVWDL3moM4Ab9mpt+peLzZWKEBgq9TLk=; b=FWNPxdNWokRTPQoRf9M0a7trek+hstLSbagFwXSMx8w8kOFYAwNUsnYrG7QY2ER+mw SYcFYrurhh/zps+SkFa4Yc7+NAtkRhA4dr+p8j34HG7sJXFIpcq8Fdr+OcPRY/ZbhEmy 7EEiCEWHpLJzsaToZtOBeL/ZtaWuk+g5ZPhjEQvXLOejXjVCN1z5BJRk42dfI3LVhMZp rr8PgsSLKZ+Ne/Nm/q27z5nqOGc+cV0OKRvGoG8PJnEbcuqqYdpwYr89LYH4yabpFnX9 zC41YhTUsZwZtIXI6Mk8iG55w/rKWk9+xyuon0BVC7mq8wWW31GsgAgBqpCXk1n06WvJ YZDQ==
X-Received: by 10.180.160.240 with SMTP id xn16mr6581599wib.62.1375093530620; Mon, 29 Jul 2013 03:25:30 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.160.240 with SMTP id xn16mr6581591wib.62.1375093530559; Mon, 29 Jul 2013 03:25:30 -0700 (PDT)
Received: by 10.194.164.234 with HTTP; Mon, 29 Jul 2013 03:25:30 -0700 (PDT)
In-Reply-To: <51F56C79.3020503@goodadvice.pages.de>
References: <CAPms+wRR_ZtLq94mRCDVXEW9WyZeDmYx+1hU+zCXV1fT0GSZ+g@mail.gmail.com> <51F401CE.9080803@stpeter.im> <51F56C79.3020503@goodadvice.pages.de>
Date: Mon, 29 Jul 2013 11:25:30 +0100
Message-ID: <CAPms+wQ5P_4ap+7iZRRbSTLQE-z9AzLcK7b19CoU1u-N3Gn6Ow@mail.gmail.com>
From: Michael Procter <michael@voip.co.uk>
To: Philipp Hancke <fippo@goodadvice.pages.de>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQmEuJzwWJDAlF1KZ17M2X8xSFfij3vXZa98NOFaNRI5ds6Zg/Npf3IQ7lKYCNOt6+WyVAif9RxuABvLaQHwQnSS3Q0aaaAScCAv6j+EdjInfsEc0c6MVAn862OHz3EoAaGGUNeP
Cc: posh@ietf.org
Subject: Re: [POSH] Comments/questions on draft-miller-posh-00
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2013 10:25:50 -0000
On 28 July 2013 20:09, Philipp Hancke <fippo@goodadvice.pages.de> wrote: > Am 27.07.2013 19:22, schrieb Peter Saint-Andre: > >>> Similarly, I can't see anything obviously wrong with letting the >>> application handshake complete, then performing the POSH >>> operations before deciding the application connection is not >>> suitable and should be terminated before being used. Is the MUST >>> in this section mandating the order of operations necessary for >>> some other reason? >> >> >> As mentioned above, the MUST here is perhaps a bit silly because it's >> so obvious. I think there is a better way to word it... > > > It isn't. In server-to-server XMPP what is typically done is to let the tls > handshake succeed and only offer sasl external if the peer certificate is > "valid". The same could be done for POSH... after the handshake is complete, > look at the verification result. If it is valid, send stream features > including external; if not, do the POSH dance. Thanks, Philipp. That is the sort of scenario I was thinking about, which is why I questioned the MUST. Doing the POSH lookup after the TLS handshake seems fine, as long as the application doesn't try to use the not-yet-verified connection until POSH completes. I can't think of a protocol reason why the TLS handshake must be held off until POSH completes, unless you wish to withold a client cert until the server is trusted. That obviously doesn't apply if you aren't doing mutual auth. Regards, Michael
- [POSH] Comments/questions on draft-miller-posh-00 Michael Procter
- Re: [POSH] Comments/questions on draft-miller-pos… Peter Saint-Andre
- Re: [POSH] Comments/questions on draft-miller-pos… Philipp Hancke
- Re: [POSH] Comments/questions on draft-miller-pos… Michael Procter
- Re: [POSH] Comments/questions on draft-miller-pos… Michael Procter
- Re: [POSH] Comments/questions on draft-miller-pos… Michael Procter
- Re: [POSH] Comments/questions on draft-miller-pos… Philipp Hancke
- Re: [POSH] Comments/questions on draft-miller-pos… Matt Miller (mamille2)
- Re: [POSH] [xmpp] Comments/questions on draft-mil… Dave Cridland
- Re: [POSH] [xmpp] Comments/questions on draft-mil… Peter Saint-Andre
- Re: [POSH] [xmpp] Comments/questions on draft-mil… Philipp Hancke