IETF Logo Mail Archive

Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis

Stef Walter <stefw@collabora.co.uk> Wed, 16 March 2011 10:05 UTC

Return-Path: <stefw@collabora.co.uk>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F0043A6917 for <xmpp@core3.amsl.com>; Wed, 16 Mar 2011 03:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.498
X-Spam-Level:
X-Spam-Status: No, score=-2.498 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dCLcIfYWlmC6 for <xmpp@core3.amsl.com>; Wed, 16 Mar 2011 03:05:51 -0700 (PDT)
Received: from bhuna.collabora.co.uk (bhuna.collabora.co.uk [93.93.128.226]) by core3.amsl.com (Postfix) with ESMTP id B5B023A68E0 for <xmpp@ietf.org>; Wed, 16 Mar 2011 03:05:51 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: stefw) with ESMTPSA id BDED3A4840B
Message-ID: <4D808BCC.2010302@collabora.co.uk>
Date: Wed, 16 Mar 2011 11:07:08 +0100
From: Stef Walter <stefw@collabora.co.uk>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8
MIME-Version: 1.0
To: kevin@kismith.co.uk
References: <C9A3FBEC.4D471%joe.hildebrand@webex.com> <4D7EA297.1020304@babelmonkeys.de> <4D7ED1C8.4050201@stpeter.im> <4D808570.20405@collabora.co.uk> <AANLkTin2AYwdfJxydea4p=Joq=nqWdiF7wGyheKeoJV7@mail.gmail.com>
In-Reply-To: <AANLkTin2AYwdfJxydea4p=Joq=nqWdiF7wGyheKeoJV7@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: xmpp@ietf.org
Subject: Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 10:05:52 -0000

On 03/16/2011 10:44 AM, Kevin Smith wrote:
> On Wed, Mar 16, 2011 at 9:40 AM, Stef Walter <stefw@collabora.co.uk> wrote:
>> From a security perspective the hardcoded or configured hostname is user
>> input and can be used in identity checks. So client app developers have
>> two options:
>>
>>  * Throwing up a "cop out" certificate dialog and tossing the entire
>>   security decision in the lap of the user.
>>
>>  * Using all the user's input (not just the JID) to generate reference
>>   identifiers to use to verify the certificate.
>>
>> If these were corner cases, and 99% of users would never run into this,
>> then I'd tend to agree with you, but this is a widely deployed
>> configuration on virtually hosted XMPP servers.
> 
> This is mixing two ideas - yes, GTalk has many many hosted domains and
> isn't presenting 'valid' certificates for them. However, in none of
> these cases should the user be specifying a hard-coded hostname - that
> just implies that their DNS setup is broken.
> 
> Virtual hosting - common
> Manually specifying connection hosts - rare.

I wish it was rare, but all the documentation that users follow to setup
their Google Talk accounts talk about manually specifying the connection
host:

http://www.google.com/support/talk/bin/answer.py?answer=24076
http://www.google.com/support/talk/bin/answer.py?hl=en&answer=24073
http://www.google.com/support/talk/bin/answer.py?hl=en&answer=24074
... and so on ...

Also in many clients the user selects 'Google Talk' as the type of
account, and therefore the client knows that the client is expecting to
connecting to talk.google.com and the client manually uses this as a
reference identifier.

I'm not holding this up as some example of a sane setup. But using
additional user input as reference identifiers is a pragmatic solution
to something that a large amount of users bump into when using XMPP + TLS.

I guess I'm okay with just leaving this annoying situation unspecified
in the RFC, and hopefully it'll go away in the future once things like
SNI is better supported, and service providers with virtual hosting get
their act together.

Until then clients meanwhile will probably continue to use the manually
specified server and user selection as a way to check certificate
identities and not follow the RFC too closely in this regard.

Cheers,

Stef

v2.23.0 | Report a Bug | By Email