Re: [TLS] SAS extension?
Peter Saint-Andre <stpeter@stpeter.im> Tue, 05 August 2008 17:36 UTC
Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 215BE3A6C1D; Tue, 5 Aug 2008 10:36:14 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6CFB93A6BE5 for <tls@core3.amsl.com>; Tue, 5 Aug 2008 10:36:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.368
X-Spam-Level:
X-Spam-Status: No, score=-2.368 tagged_above=-999 required=5 tests=[AWL=0.231, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3DaWAfM1own for <tls@core3.amsl.com>; Tue, 5 Aug 2008 10:36:11 -0700 (PDT)
Received: from dizzyd.com (dizzyd.com [207.210.219.225]) by core3.amsl.com (Postfix) with ESMTP id 4703F3A6BC0 for <tls@ietf.org>; Tue, 5 Aug 2008 10:36:11 -0700 (PDT)
Received: from wrk225.corp.jabber.com (dencfw1.jabber.com [207.182.164.5]) (Authenticated sender: stpeter) by dizzyd.com (Postfix) with ESMTPSA id 551B040048; Tue, 5 Aug 2008 11:33:50 -0600 (MDT)
Message-ID: <48988FA6.9010703@stpeter.im>
Date: Tue, 05 Aug 2008 11:36:38 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.16) Gecko/20080707 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>
References: <038301c8f712$1b4c33f0$c2f0200a@cisco.com> <48988666.8020405@stpeter.im> <052f01c8f71d$be2fe020$c2f0200a@cisco.com>
In-Reply-To: <052f01c8f71d$be2fe020$c2f0200a@cisco.com>
Cc: tls@ietf.org
Subject: Re: [TLS] SAS extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1395086646=="
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
Dan Wing wrote: >> Dan Wing wrote: >>> Peter Saint-Andre wrote: <snip/> >>>> Whether Aunt Tillie would even check the SAS (or any other >>>> credential) properly is another matter, but that's a separate >>>> topic... >>> That inability to audit is a significant hurdle for commercial >>> deployment, of course. The problem isn't just Aunt Tillie, it >>> is the "busy" CxO who can't be bothered to verify they are >>> really talking to accounting versus talking to a social engineer >>> that wants to turn a profit prior to the release of a company's >>> end-of-quarter financial results. Similar risks exist with >>> drug researchers or any other portion of a company that deals >>> with sensitive information or the company's intellectual >>> property. >> Well, I tend to think that people who can't be bothered to learn at >> least a little bit about security don't deserve to have secured >> communications. I realize that's a bit harsh, but so be it. > > Internal auditors, HIPAA, SEC regulations, and Sarbanes-Oxley > all prefer auditable systems -- not systems that rely on humans > to remember something. Aha, sorry, I had missed your text about auditors the first time around. >>>> [1] http://www.xmpp.org/extensions/xep-0116.html >>>> [2] http://www.xmpp.org/extensions/xep-0246.html >>>> [3] http://www.xmpp.org/extensions/xep-0174.html >>>> [4] http://www.xmpp.org/extensions/xep-0247.html >>> An approach that some SIP folks considered for end-to-end TLS is >>> to re-use HTTP's CONNECT (which is how you proxy HTTPS through >>> an HTTPS proxy). This might also be helpful for XMPP. The SIP >>> approach is described in >>> http://tools.ietf.org/html/draft-gurbani-sip-sipsec-01 >>> (now expired). >> Yes, that might work for SIP -- I'm not competent to judge. >> For XMPP, we >> already use TLS for client-to-server streams, >> server-to-server streams, >> and direct client-to-client streams in the link-local case. > > That is very similar to SIP. > >> So re-using TLS for end-to-end connections (via a reliable >> transport such as a >> direct TCP connection negotiated via ICE-TCP, a mediated >> bytestream, or >> even XMPP itself) makes a lot of sense for our developer >> community. > > Are you trying to secure the data connection between the XMPP > peers, or trying to secure XMPP signaling between XMPP peers > that have successfully rendezvoused via XMPP? > > (SIPSEC does the latter.) Translating SIP-speak into XMPP-speak, I would say the latter. Typically this would be used to secure the messages and other signalling traffic that you exchange with someone who is known to you, i.e., the person's JabberID is already in your XMPP roster (contact list) and you already have a long-lived, bi-directional presence subscription with the person. Peter
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] SAS extension? Eric Rescorla
- Re: [TLS] SAS extension? Pasi.Eronen
- [TLS] SAS extension? Peter Saint-Andre
- Re: [TLS] SAS extension? Peter Saint-Andre
- Re: [TLS] SAS extension? Dan Wing
- Re: [TLS] SAS extension? Peter Saint-Andre
- Re: [TLS] SAS extension? Dan Wing
- Re: [TLS] SAS extension? Peter Saint-Andre
- Re: [TLS] SAS extension? Yaron Sheffer
- Re: [TLS] SAS extension? Peter Saint-Andre
- Re: [TLS] SAS extension? Yaron Sheffer
- Re: [TLS] SAS extension? Peter Saint-Andre