IETF Logo Mail Archive

Re: [xmpp] DNA transport

"Richard L. Barnes" <RBARNES@BBN.COM> Fri, 15 January 2010 19:10 UTC

Return-Path: <RBARNES@BBN.COM>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D222D3A6903 for <xmpp@core3.amsl.com>; Fri, 15 Jan 2010 11:10:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnRCrmqcNeJV for <xmpp@core3.amsl.com>; Fri, 15 Jan 2010 11:10:16 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 0CC563A67CC for <xmpp@ietf.org>; Fri, 15 Jan 2010 11:10:16 -0800 (PST)
Received: from ros-dhcp192-1-51-107.bbn.com ([192.1.51.107]) by smtp.bbn.com with esmtp (Exim 4.63) (envelope-from <RBARNES@BBN.COM>) id 1NVrYi-0004Hm-Bp; Fri, 15 Jan 2010 14:10:12 -0500
Message-Id: <B3525EF6-48E6-459C-A7BA-4093ED775E8B@BBN.COM>
From: "Richard L. Barnes" <RBARNES@BBN.COM>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <4B50A8BE.1030709@cs.tcd.ie>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 15 Jan 2010 14:10:12 -0500
References: <2170B6E1-79CA-4F85-A1D2-4564B8806984@BBN.COM> <4B50A8BE.1030709@cs.tcd.ie>
X-Mailer: Apple Mail (2.936)
Cc: xmpp@ietf.org
Subject: Re: [xmpp] DNA transport
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2010 19:10:18 -0000

That's a good point -- looking more closely at the spec, the current  
format only carries one authorization (AC or SAML).  However, it would  
be easy to extend it to support multiple authorizations; I don't see  
any obvious length constraints.  How many authorizations are we  
talking about?

--Richard



On Jan 15, 2010, at 12:41 PM, Stephen Farrell wrote:

>
> Richard L. Barnes wrote:
>> Assuming for the moment that we're going to stick with attribute  
>> certs:
>> Rather than using both TLS and some new XML to carry DNA information,
>> why not just hand the attribute certs over as part of the TLS
>> negotiation?  That is, carrying XMPP authorization certs seems like a
>> natural application of the TLS authorization extensions [1].  That  
>> way,
>> implementations can save on the crypto costs (since tls-authz is
>> reportedly already implemented in OpenSSL, GNUTLS, and NSS), and
>> draft-ietf-xmpp-dna can focus on the AC profile.
>
> Would tls-authz work for the number of ACs that'd be involved here?
> I understood that there could be a lot, which could therefore be a
> good reason to do DNA at the application layer. Triggering sending
> the right ACs at the right time could also be tricky depending on
> the interfaces between the TLS library and the application. So I'd
> say this is worth checking out, and would be interested if someone
> did that, but I'd be a bit surprised if it were the right answer
> in the end.
>
> S.
>
>
>
>>
>> --Richard
>>
>> [1] <http://tools.ietf.org/html/draft-housley-tls-authz-extns-09>
>>
>> _______________________________________________
>> xmpp mailing list
>> xmpp@ietf.org
>> https://www.ietf.org/mailman/listinfo/xmpp
>>

v2.23.0 | Report a Bug | By Email