Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
Joe Hildebrand <joe.hildebrand@webex.com> Mon, 14 March 2011 23:06 UTC
Return-Path: <Joe.Hildebrand@webex.com>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F6AC3A6ECE for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 16:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.43
X-Spam-Level:
X-Spam-Status: No, score=-104.43 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, RCVD_NUMERIC_HELO=2.067, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDD5flMQONjM for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 16:06:34 -0700 (PDT)
Received: from gw2.webex.com (gw2.webex.com [64.68.122.209]) by core3.amsl.com (Postfix) with SMTP id A5AE23A6BAE for <xmpp@ietf.org>; Mon, 14 Mar 2011 16:06:31 -0700 (PDT)
Received: from SRV-EXSC03.webex.local ([192.168.252.197]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 14 Mar 2011 16:07:55 -0700
Received: from 66.114.169.7 ([66.114.169.7]) by SRV-EXSC03.webex.local ([192.168.252.200]) via Exchange Front-End Server mailus.webex.com ([66.114.175.12]) with Microsoft Exchange Server HTTP-DAV ; Mon, 14 Mar 2011 23:07:55 +0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Mon, 14 Mar 2011 17:07:56 -0600
From: Joe Hildebrand <joe.hildebrand@webex.com>
To: Florian Zeitz <florob@babelmonkeys.de>, xmpp@ietf.org
Message-ID: <C9A3FBEC.4D471%joe.hildebrand@webex.com>
Thread-Topic: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
Thread-Index: AcvinKdPUFlCbH+UnUSwI6UAP+xa0Q==
In-Reply-To: <4D7E9902.4020908@babelmonkeys.de>
IM-ID: xmpp:jhildebr@cisco.com
Presence-ID: xmpp:jhildebr@cisco.com
Jabber-ID: jhildebr@cisco.com
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 14 Mar 2011 23:07:55.0751 (UTC) FILETIME=[A729EF70:01CBE29C]
Subject: Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 23:06:35 -0000
On 3/14/11 4:38 PM, "Florian Zeitz" <florob@babelmonkeys.de> wrote: > I was recently wondering something related. > Do I set the 'to' attribute in the initial stream header to the JID's > domainpart, or to the domain I got from a SRV lookup? > The later is certainly not sufficient as a source domain. That in turn > implies (IMHO) we will always have/want to set the 'to' attribute to the > JID's domainpart (and while the draft actually says to put a > "domainpart" there, it is not specific on where to get that from, > especially for the cases where you can't set a 'from', because you don't > know the JID beforehand). I'd therefore assume you'd not use the > user-entered FQDN as source domain, but I'd like some clarification on > that point, too. It's always the domain name the user entered, not something you get from the (currently untrusted) DNS. Many servers use this name to figure out which certificate to give you when you Start-TLS, rather than having to rely on SNI. -- Joe Hildebrand
- [xmpp] Clarification of TLS Identity checking in … Stef Walter
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Joe Hildebrand
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Justin Karneges
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Stef Walter
- Re: [xmpp] Clarification of TLS Identity checking… Stef Walter
- Re: [xmpp] Clarification of TLS Identity checking… Kevin Smith
- Re: [xmpp] Clarification of TLS Identity checking… Stef Walter