[xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
Stef Walter <stefw@collabora.co.uk> Mon, 14 March 2011 18:41 UTC
Return-Path: <stefw@collabora.co.uk>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8A103A6A03 for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 11:41:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EqWHHdvYtddE for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 11:41:48 -0700 (PDT)
Received: from bhuna.collabora.co.uk (bhuna.collabora.co.uk [93.93.128.226]) by core3.amsl.com (Postfix) with ESMTP id DEC033A68C3 for <xmpp@ietf.org>; Mon, 14 Mar 2011 11:41:47 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: stefw) with ESMTPSA id CF591602D11
Message-ID: <4D7E61BD.50804@collabora.co.uk>
Date: Mon, 14 Mar 2011 19:43:09 +0100
From: Stef Walter <stefw@collabora.co.uk>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8
MIME-Version: 1.0
To: xmpp@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 18:41:48 -0000
draft-ietf-xmpp-3920bis [1] refers to
draft-saintandre-tls-server-id-check [2] when it comes to TLS
certificate identity verification.
It appears to me that draft-ietf-xmpp-3920bis section 13.7.2.1 (and
possibly section 13.7.2.2) require further clarifications when it comes
to the reference identifiers that are to be used. The draft currently
specifies that the 'to' and 'from' attributes of the initial stream
header become reference identifiers used in certificate verification.
1. What kind of reference identifiers are defined in section
13.7.2.1. It seems that the 'to' attribute on the client side of
a client-to-server connection should be used as two reference
identifiers of type DNS-ID and CN-ID. If so, this should probably
be noted specifically.
It appears that the 'from' attribute used as an identity on the
server side of a client-to-server connection, is used as a
XmppAddr. Are there other ways to map this to a reference
identifier? In either case, this should be noted.
2. Section 3.2.3 'When Not to Use SRV' says that when a FQDN is
explicitly configured it should be used in place of SRV lookups.
It is not clear whether this explicitly specified FQDN should be
used as a reference identity when verifying a certificate identity.
This is explicitly user selected or configured information and
therefore is available to be used as input to build the list of
reference identifiers.
A real example of this often occurs with the Google Apps hosted
XMPP servers. The users explicitly configure the server as
talk.google.com [3].
Should the explicitly configured FQDN be used in place of the
section 13.7.2.1 XMPP reference identifier(s), or in addition to
them? Either way, this should be clear in the spec.
Using multiple reference identifiers of the same type is not
forbidden by draft-saintandre-tls-server-id-check. So this
alternative shouldn't be dismissed out of hand.
Thanks for considering these issues (or helping set me straight :)
Cheers,
Stef
[1] http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-22
[2] http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-14
[3] http://www.google.com/support/a/bin/answer.py?answer=49147
- [xmpp] Clarification of TLS Identity checking in … Stef Walter
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Joe Hildebrand
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Justin Karneges
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Stef Walter
- Re: [xmpp] Clarification of TLS Identity checking… Stef Walter
- Re: [xmpp] Clarification of TLS Identity checking… Kevin Smith
- Re: [xmpp] Clarification of TLS Identity checking… Stef Walter