IETF Logo Mail Archive

Re: [xmpp] Fwd: Re: [dane] DANE-SRV, SNI functional equivalent and XMPP

Peter Saint-Andre - &yet <peter@andyet.net> Mon, 18 May 2015 23:32 UTC

Return-Path: <peter@andyet.net>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66A9D1B2AFF for <xmpp@ietfa.amsl.com>; Mon, 18 May 2015 16:32:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6YMh6pQknUV for <xmpp@ietfa.amsl.com>; Mon, 18 May 2015 16:32:50 -0700 (PDT)
Received: from mail-pa0-f47.google.com (mail-pa0-f47.google.com [209.85.220.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B63A1A8776 for <xmpp@ietf.org>; Mon, 18 May 2015 16:32:50 -0700 (PDT)
Received: by pabru16 with SMTP id ru16so171482450pab.1 for <xmpp@ietf.org>; Mon, 18 May 2015 16:32:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=BzQqpw139pp39QsVy6XoRxUHXGFn67kHFjYyscNWA/c=; b=Eim11qhj007ED/cXeS8Pjf7n5hpJjVBRqQlxS42vC1AcjthIFeufJtA9UY3LSlUwN+ xoIdoaJPohfpy0bMI5AeYZagAsItXCGnOClrQbEhZL9upk42fPk09qTFlEkVHfiVxooj UsEoHuDeIta1VPTWgVNeBwp21tiTxH2PDpL4UDpL41LWT0R97gUUPQZnDHdtKyMrhZlp Z8Tkc9T/RpF9Em7J2JplWbWBDny5adJ4DYZi8FdF6NYv1VcuVRb/Pm3JL9+6jndRdzzA uTmru/bQnYbhdn4YRVhyOTcaWwQu1khJEFwvavGMZelfMva0whiK13SUPXTgmQSvJ3sE dbUg==
X-Gm-Message-State: ALoCoQlUY71MvTXYq0aJiFmc/EDEOjaWWH3hROrrWT8mjmCni29rxF5BH7bIzzPplpdP0KrVBo8Z
X-Received: by 10.66.117.233 with SMTP id kh9mr49321620pab.103.1431991969686; Mon, 18 May 2015 16:32:49 -0700 (PDT)
Received: from aither.local (guest.mtv2.mozilla.com. [63.245.221.34]) by mx.google.com with ESMTPSA id qz7sm11096344pbc.11.2015.05.18.16.32.47 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 May 2015 16:32:48 -0700 (PDT)
Message-ID: <555A769D.6060003@andyet.net>
Date: Mon, 18 May 2015 16:32:45 -0700
From: Peter Saint-Andre - &yet <peter@andyet.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Dave Cridland <dave@cridland.net>
References: <555A61CA.2020108@andyet.net> <555A6319.9010703@andyet.net> <CAKHUCzyue1AAgnYiy2V7fpxTfqkh=pYyffUDiaiQ90ggYFkuyg@mail.gmail.com>
In-Reply-To: <CAKHUCzyue1AAgnYiy2V7fpxTfqkh=pYyffUDiaiQ90ggYFkuyg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/xmpp/sZpXWq3wiUhf8XBq2rf6qlMi0KU>
Cc: XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] Fwd: Re: [dane] DANE-SRV, SNI functional equivalent and XMPP
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 23:32:52 -0000

On 5/18/15 3:26 PM, Dave Cridland wrote:
>
> On 18 May 2015 23:09, "Peter Saint-Andre - &yet" <peter@andyet.net
> <mailto:peter@andyet.net>> wrote:
>  >
>  > This thread started on the DANE WG list but I think it belongs here.
>  >
>  >
>  > -------- Forwarded Message --------
>  > Subject: Re: [dane] DANE-SRV, SNI functional equivalent and XMPP
>  > Date: Mon, 18 May 2015 15:03:54 -0700
>  > From: Peter Saint-Andre - &yet <peter@andyet.net
> <mailto:peter@andyet.net>>
>  > To: dane@ietf.org <mailto:dane@ietf.org>
>  >
>  > On 5/17/15 9:55 AM, Kim Alvefur wrote:
>  >>
>  >> Hello list!
>  >
>  >
>  > Hi Zash!
>  >
>  >> Georg Lukas noted that section 4.1 says, in the context of XMPP, to use
>  >> to='xmpp23.hosting.example.net <http://xmpp23.hosting.example.net>'
> in the stream header, as that is the
>  >> "functional equivalent" of SNI in XMPP.  However, that conflicts with
>  >> the current semantics of 'to' being the service domain name to the
>  >> server host name.  That will break many, if not all, deployed servers.
>  >> The server should know what certificate to use for the indicated domain
>  >> name.
>  >>
>  >> http://tools.ietf.org/html/draft-ietf-dane-srv-14#section-4.1
>  >
>  >
>  > Hmm.
>  >
>  > First, all draft-ietf-dane-srv says is that you don't need to use SNI in
>  > XMPP because we already have a way for the TLS client to specify which
>  > domain name it expects of the TLS server, i.e., the 'to' address of the
>  > initial stream header.
>  >
>
> Actually, it's a interesting problem. As I understand it, SNI is
> unencrypted in the handshake, so offers no value, but could easily cause
> major confusion if used, since it is not clear which might take precedence.

Good point.

> However, my understanding - possibly flawed - is that TLS version 1.3
> introduces encrypted handshakes, and then it might be useful to hide the
> server domains used.

I admit that I haven't been tracking the TLS 1.3 initiative, although I 
recall that being one of the goals. However, since TLS 1.3 isn't here 
yet, it doesn't help us with draft-ietf-xmpp-dna (although we might want 
to mention that this applies to TLS 1.2 and lower).

Peter

-- 
Peter Saint-Andre
https://andyet.com/

v2.23.0 | Report a Bug | By Email