Re: [xmpp] UPDATED: draft-miller-xmpp-posh-prooftype
"Matt Miller (mamille2)" <mamille2@cisco.com> Mon, 07 January 2013 16:45 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D70521F8931 for <xmpp@ietfa.amsl.com>; Mon, 7 Jan 2013 08:45:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJR00nkNHVqT for <xmpp@ietfa.amsl.com>; Mon, 7 Jan 2013 08:45:42 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4F75321F88F5 for <xmpp@ietf.org>; Mon, 7 Jan 2013 08:45:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5634; q=dns/txt; s=iport; t=1357577136; x=1358786736; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=lMaMAn2eZ7Uo5nqr5dft56q6F0lcCTSFxqvld+dp2ms=; b=bVaX3PfIJU24cpuUtuVZfUL4ftyo611GHXEHI0Gd5+35kSu4IMnvBui3 GAnayJdLhPwpf5tT5bK+XTavlVhx+9Y4ak5scW7K17w/OjIwO0ik6P7kR LsjfT2/JWR+6msJmBAM9uM2H/4wW0S+xrlmApkWSTjUHDkxnSXetXHEtU Q=;
X-Files: smime.p7s : 2283
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAB/76lCtJV2Z/2dsb2JhbAA8Cb1UFnOCHgEBAQMBeQULAgEIDgoKJAIwJQIEDgUIBogDBgy1U4xSEgODTWEDjweBIoZ+jy2CdIFoPg
X-IronPort-AV: E=Sophos; i="4.84,424,1355097600"; d="p7s'?scan'208"; a="159679005"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-6.cisco.com with ESMTP; 07 Jan 2013 16:45:24 +0000
Received: from xhc-rcd-x10.cisco.com (xhc-rcd-x10.cisco.com [173.37.183.84]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r07GjOwU007629 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 7 Jan 2013 16:45:24 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.171]) by xhc-rcd-x10.cisco.com ([173.37.183.84]) with mapi id 14.02.0318.004; Mon, 7 Jan 2013 10:45:24 -0600
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Philipp Hancke <fippo@goodadvice.pages.de>
Thread-Topic: [xmpp] UPDATED: draft-miller-xmpp-posh-prooftype
Thread-Index: AQHNYQkX9V40zEPjy0GhHDInS5a+QJgd+JGAgCGWt4A=
Date: Mon, 07 Jan 2013 16:45:23 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED941150E2E40@xmb-aln-x11.cisco.com>
References: <E0D87D70-2B68-4A5A-8BF7-3FDDC0E91449@cisco.com> <alpine.DEB.1.10.1212170836300.25388@lo.psyced.org>
In-Reply-To: <alpine.DEB.1.10.1212170836300.25388@lo.psyced.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.129.24.74]
Content-Type: multipart/signed; boundary="Apple-Mail=_34454647-DAFF-4B77-A467-2578A027A340"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Cc: XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] UPDATED: draft-miller-xmpp-posh-prooftype
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2013 16:45:43 -0000
On Dec 17, 2012, at 12:49 AM, Philipp Hancke <fippo@goodadvice.pages.de> wrote: > On Fri, 13 Jul 2012, Matt Miller (mamille2) wrote: >> An update to draft-miller-xmpp-posh-prooftype is now available. The only change is the syntax of the .well-known URI. >> >> < http://tools.ietf.org/html/draft-miller-xmpp-posh-prooftype-01 > >> >> >> Enjoy! > Thank you for the feedback! > Just had a chance to do so again -- some questions: > 1) can there be multiple certificates (for rollover) in the file? > 2) can the file contain a chain of certificates or is this limited to the > end entity certificate? The current revision implies a single certificate. However, specifying a chain and/or rollovers is definitely something that needs to be supported. I was trying to keep deployment as simple as possible; ideally not more than "copy the PEMs into the file". I think concatenation can handle either chains or rollovers fine, but not both. I'm open to suggestions here. > 3) is the subject of the certificate(s) fetched checked against RFC 6125? > If not, wouldn't it be sufficient to compare hashes? That is a good question. The current revision states that it does not supersede RFC6125, which one could interpret to mean the fetched certificate MUST contain a matching reference identifier. I personally think a hash compare is fine. How about something along the lines of the following? #### 7. Security Considerations This document supplements but does not supersede the security considerations provided in [RFC2616], [RFC2818], [RFC6120], and [RFC6125], except as specified below. Specifically, communication via HTTPS depends on checking the identity of the HTTP server in accordance with [RFC2818]. A client MAY accept the server's TLS certificate if the Public Subject Key Info (or hash thereof) matches the POSH-obtained certificate, forgoing any identifier matches mandated by [RFC6125]. #### Thoughts? - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc.
- [xmpp] UPDATED: draft-miller-xmpp-posh-prooftype Matt Miller (mamille2)
- Re: [xmpp] UPDATED: draft-miller-xmpp-posh-prooft… Philipp Hancke
- Re: [xmpp] UPDATED: draft-miller-xmpp-posh-prooft… Matt Miller (mamille2)