IETF Logo Mail Archive

Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis

Florian Zeitz <florob@babelmonkeys.de> Mon, 14 March 2011 23:18 UTC

Return-Path: <florob@babelmonkeys.de>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFC503A6EF3 for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 16:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8RpJVWrwCx+7 for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 16:18:33 -0700 (PDT)
Received: from babelmonkeys.de (v64231.topnetworks.de [82.197.159.233]) by core3.amsl.com (Postfix) with ESMTP id CD92A3A6EFC for <xmpp@ietf.org>; Mon, 14 Mar 2011 16:18:32 -0700 (PDT)
Received: from xdsl-78-34-194-56.netcologne.de ([78.34.194.56] helo=[192.168.234.167]) by babelmonkeys.de with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <florob@babelmonkeys.de>) id 1PzH3M-0001Gr-Se for xmpp@ietf.org; Tue, 15 Mar 2011 00:19:56 +0100
Message-ID: <4D7EA297.1020304@babelmonkeys.de>
Date: Tue, 15 Mar 2011 00:19:51 +0100
From: Florian Zeitz <florob@babelmonkeys.de>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110307 Lanikai/3.1.9
MIME-Version: 1.0
To: xmpp@ietf.org
References: <C9A3FBEC.4D471%joe.hildebrand@webex.com>
In-Reply-To: <C9A3FBEC.4D471%joe.hildebrand@webex.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 23:18:34 -0000

Am 15.03.2011 00:07, schrieb Joe Hildebrand:
> On 3/14/11 4:38 PM, "Florian Zeitz"<florob@babelmonkeys.de>  wrote:
>
>
>> I was recently wondering something related.
>> Do I set the 'to' attribute in the initial stream header to the JID's
>> domainpart, or to the domain I got from a SRV lookup?
>> The later is certainly not sufficient as a source domain. That in turn
>> implies (IMHO) we will always have/want to set the 'to' attribute to the
>> JID's domainpart (and while the draft actually says to put a
>> "domainpart" there, it is not specific on where to get that from,
>> especially for the cases where you can't set a 'from', because you don't
>> know the JID beforehand). I'd therefore assume you'd not use the
>> user-entered FQDN as source domain, but I'd like some clarification on
>> that point, too.
>
> It's always the domain name the user entered, not something you get from the
> (currently untrusted) DNS.  Many servers use this name to figure out which
> certificate to give you when you Start-TLS, rather than having to rely on
> SNI.
>
That is not a sufficient answer.
Stef Walter's point, that I was trying to address, was that in some 
cases the user entered two different domains. One as part of his JID the 
other one as the domain to connect to.
Both are certainly valid options for checking against.
My reasoning was that since you have to use the domainpart of the JID 
when doing SRV (I was not sure from reading the draft, but it seemed 
sensible), it seems logical to do the same when the user specified a FQDN.

--
Florian Zeitz

v2.23.0 | Report a Bug | By Email