IETF Logo Mail Archive

Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis

Joe Hildebrand <joe.hildebrand@webex.com> Mon, 14 March 2011 23:06 UTC

Return-Path: <Joe.Hildebrand@webex.com>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F6AC3A6ECE for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 16:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.43
X-Spam-Level:
X-Spam-Status: No, score=-104.43 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, RCVD_NUMERIC_HELO=2.067, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDD5flMQONjM for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 16:06:34 -0700 (PDT)
Received: from gw2.webex.com (gw2.webex.com [64.68.122.209]) by core3.amsl.com (Postfix) with SMTP id A5AE23A6BAE for <xmpp@ietf.org>; Mon, 14 Mar 2011 16:06:31 -0700 (PDT)
Received: from SRV-EXSC03.webex.local ([192.168.252.197]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 14 Mar 2011 16:07:55 -0700
Received: from 66.114.169.7 ([66.114.169.7]) by SRV-EXSC03.webex.local ([192.168.252.200]) via Exchange Front-End Server mailus.webex.com ([66.114.175.12]) with Microsoft Exchange Server HTTP-DAV ; Mon, 14 Mar 2011 23:07:55 +0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Mon, 14 Mar 2011 17:07:56 -0600
From: Joe Hildebrand <joe.hildebrand@webex.com>
To: Florian Zeitz <florob@babelmonkeys.de>, xmpp@ietf.org
Message-ID: <C9A3FBEC.4D471%joe.hildebrand@webex.com>
Thread-Topic: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
Thread-Index: AcvinKdPUFlCbH+UnUSwI6UAP+xa0Q==
In-Reply-To: <4D7E9902.4020908@babelmonkeys.de>
IM-ID: xmpp:jhildebr@cisco.com
Presence-ID: xmpp:jhildebr@cisco.com
Jabber-ID: jhildebr@cisco.com
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 14 Mar 2011 23:07:55.0751 (UTC) FILETIME=[A729EF70:01CBE29C]
Subject: Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 23:06:35 -0000

On 3/14/11 4:38 PM, "Florian Zeitz" <florob@babelmonkeys.de> wrote:


> I was recently wondering something related.
> Do I set the 'to' attribute in the initial stream header to the JID's
> domainpart, or to the domain I got from a SRV lookup?
> The later is certainly not sufficient as a source domain. That in turn
> implies (IMHO) we will always have/want to set the 'to' attribute to the
> JID's domainpart (and while the draft actually says to put a
> "domainpart" there, it is not specific on where to get that from,
> especially for the cases where you can't set a 'from', because you don't
> know the JID beforehand). I'd therefore assume you'd not use the
> user-entered FQDN as source domain, but I'd like some clarification on
> that point, too.

It's always the domain name the user entered, not something you get from the
(currently untrusted) DNS.  Many servers use this name to figure out which
certificate to give you when you Start-TLS, rather than having to rely on
SNI.

-- 
Joe Hildebrand

v2.23.0 | Report a Bug | By Email