IETF Logo Mail Archive

[xmpp] Questions on POSH (WAS: Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-03.txt]

"Matt Miller (mamille2)" <mamille2@cisco.com> Wed, 13 February 2013 15:45 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFD7D21F890D for <xmpp@ietfa.amsl.com>; Wed, 13 Feb 2013 07:45:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.499
X-Spam-Level:
X-Spam-Status: No, score=-10.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GokwsVVg+DP0 for <xmpp@ietfa.amsl.com>; Wed, 13 Feb 2013 07:45:37 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id F179421F88FD for <xmpp@ietf.org>; Wed, 13 Feb 2013 07:45:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6252; q=dns/txt; s=iport; t=1360770337; x=1361979937; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=e85+V9yheGjz7FrhkobsKS2WDf5Dh1prhuzfKLct0+g=; b=LRTRY9C5x2dsjMx2GYfpFc23c2Cp8bzleym9E1s/8qS+itMUNbhBVg6s F3A5d37cXFgZvnWeR9I6K5ixzcL8UfQ1eLRD3XkHMjqGw9e1tXnNVaWx6 qZvqlF4I0Fk1ZVTWg9TsROmPlHKq500cOq8KJ0+CPRDCBgYJcEIdauoOM w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgkFAHe0G1GtJXG9/2dsb2JhbABFg3m8cRZzgh8BAQEDAQEBATctBwEKBQcEAgEZAwECAQoUECcLFAkIAgQOBQgBiAMGBwW+apEiYQOXQYomhRCDBoFrJBg
X-IronPort-AV: E=Sophos;i="4.84,658,1355097600"; d="scan'208";a="176666990"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-6.cisco.com with ESMTP; 13 Feb 2013 15:45:31 +0000
Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id r1DFjUlm010343 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 13 Feb 2013 15:45:30 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.203]) by xhc-rcd-x08.cisco.com ([173.37.183.82]) with mapi id 14.02.0318.004; Wed, 13 Feb 2013 09:45:30 -0600
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Simon Tennant <simon@buddycloud.com>
Thread-Topic: Questions on POSH (WAS: [xmpp] Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-03.txt]
Thread-Index: AQHOCgEmBV/1KOpGpEmLRwKBpab5TA==
Date: Wed, 13 Feb 2013 15:45:30 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED94115135FCB@xmb-aln-x11.cisco.com>
References: <20130110184432.5134.57184.idtracker@ietfa.amsl.com> <50EF71A4.1050606@stpeter.im> <CACEE+iPix6zGpFDC0KAOyR+33_2wdzPtyiFTDn7di7-T6vZKqw@mail.gmail.com>
In-Reply-To: <CACEE+iPix6zGpFDC0KAOyR+33_2wdzPtyiFTDn7di7-T6vZKqw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.129.24.55]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1DE08E3B0EC6494D82ADF5638DE27649@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: XMPP Working Group <xmpp@ietf.org>, Florian Jensen <florian@florianjensen.com>
Subject: [xmpp] Questions on POSH (WAS: Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-03.txt]
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2013 15:45:39 -0000

Hello Simon,

Thanks for your feedback.  I have more comments inline.

On Feb 13, 2013, at 7:02 AM, Simon Tennant <simon@buddycloud.com>
 wrote:

> I've been chatting with Florian about this the two standards for proving
> ownership in the case of a delegating domain hosting.
> 
> Some background: Florian hosts many XMPP domains and at buddycloud, we're
> putting plans in place to host XMPP domains. In both cases, the more we
> have to ask customers to configure on their end, the less chance there is
> of a successful deployment.
> 
> Right now this is:
> a) customer edits their DNS and point it at our servers. Nothing else.

Today this provides no actual verification in and of itself.  To be trusted, that hosting provider must present a certificate with the source domain's identifier.  This is becoming more and more difficult to do if the hosting provider and the source domain are not the same thing.

Alternatively, the hosting provider could acquire a certificate+private key from the source domain, and carry the liabilities that having that private key carries.

> 
> I have huge concerns about expecting customers to provide proofs at the web
> layer. Especially something that runs on their "main" website. Some reasons
> off the top of my head:
> a) Messaging team is different to web team - slow or no deployment.

Reality is that deployment requires coordination. I do appreciate the difficulties that arise with coordination, but trust sometimes requires coordination.

> b) no website hosted on their domain - do we now host web stuff too?

For POSH, it would mean having enough of an HTTPS server to either present the certs, or have a HTTPS-level redirect.

> c) their website is created or hosted by their marketing agency / some
> other less technical. A simple website push could overwrite their
> .well-known record could kill their messaging service.

They would need to protect .well-known, but this would be true of just about anything that gets placed on a web server.

> d) it's complicated.
> 

Please elaborate on what exactly is complicated about POSH.

> DNSSEC is being rolled out. Sure some registrar and TLDs will take longer
> to deploy, but in the long term, I think this is the right way to have
> customers (especially non-technical customers who would rather delegate
> hosting) delegate their hosting.
> 

Personally, I don't think DNSSEC will be useable for several years.  Not only does each domain need to have signed records, but just about all of the recursive resolvers would need to leave any response (answer + additional + authority) from their upstream unmolested.  It would also require the clients to do the validation; trusting the "AD flag" from your recursive validating resolver is about as trustworthy as today's dialback.

While parts of these are happening, the implications are still not well understood, which further hurts deployment. POSH is seen by some as a path that we could start to deploy today with a very reasonable chance of success.

If POSH doesn't work for you, then I guess you don't deploy it.


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

> 
> On 11 January 2013 02:57, Peter Saint-Andre <stpeter@stpeter.im> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Just a small update to reflect publication of RFC 6698...
>> 
>> Peter
>> 
>> - -------- Original Message --------
>> Subject: I-D Action: draft-miller-xmpp-dnssec-prooftype-03.txt
>> Date: Thu, 10 Jan 2013 10:44:32 -0800
>> From: internet-drafts@ietf.org
>> Reply-To: internet-drafts@ietf.org
>> To: i-d-announce@ietf.org
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> 
>> 
>>        Title           : Using DNS Security Extensions (DNSSEC) and
>> DNS-based Authentication of Named Entities (DANE) as a Prooftype for
>> XMPP Domain Name Associations
>>        Author(s)       : Matthew Miller
>>                          Peter Saint-Andre
>>        Filename        : draft-miller-xmpp-dnssec-prooftype-03.txt
>>        Pages           : 7
>>        Date            : 2013-01-10
>> 
>> Abstract:
>>   This document defines a prooftype that uses DNS-based Authentication
>>   of Named Entities (DANE) for associating a domain name with an XML
>>   stream in the Extensible Messaging and Presence Protocol (XMPP).  It
>>   also defines a method that uses DNS Security (DNSSEC) for securely
>>   delegating a source domain to a derived domain in XMPP.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-miller-xmpp-dnssec-prooftype
>> 
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype-03
>> 
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=draft-miller-xmpp-dnssec-prooftype-03
>> 
>> 
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>> 
>> _______________________________________________
>> I-D-Announce mailing list
>> I-D-Announce@ietf.org
>> https://www.ietf.org/mailman/listinfo/i-d-announce
>> Internet-Draft<https://www.ietf.org/mailman/listinfo/i-d-announceInternet-Draft>directories:
>> http://www.ietf.org/shadow.html
>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>> 
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
>> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>> 
>> iEYEARECAAYFAlDvcaQACgkQNL8k5A2w/vxOswCfSD5OrV7Fgj0gkgrFaBfroWks
>> HWAAn0hwNNsP0pPiX+lRwoz0sEEHj53X
>> =8YV7
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> xmpp mailing list
>> xmpp@ietf.org
>> https://www.ietf.org/mailman/listinfo/xmpp
>> 
> 
> 
> 
> -- 
> Simon Tennant | buddycloud.com | +49 17 8545 0880 | office hours: goo.gl/
> tQgxP
> _______________________________________________
> xmpp mailing list
> xmpp@ietf.org
> https://www.ietf.org/mailman/listinfo/xmpp

v2.23.0 | Report a Bug | By Email