IETF Logo Mail Archive

Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis

Florian Zeitz <florob@babelmonkeys.de> Mon, 14 March 2011 23:29 UTC

Return-Path: <florob@babelmonkeys.de>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D5C993A6BA1 for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 16:29:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wREpJy5EArJK for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 16:29:27 -0700 (PDT)
Received: from babelmonkeys.de (v64231.topnetworks.de [82.197.159.233]) by core3.amsl.com (Postfix) with ESMTP id ACCD93A6B8B for <xmpp@ietf.org>; Mon, 14 Mar 2011 16:29:27 -0700 (PDT)
Received: from xdsl-78-34-194-56.netcologne.de ([78.34.194.56] helo=[192.168.234.167]) by babelmonkeys.de with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <florob@babelmonkeys.de>) id 1PzHDv-0001OS-Aa for xmpp@ietf.org; Tue, 15 Mar 2011 00:30:51 +0100
Message-ID: <4D7EA525.4050207@babelmonkeys.de>
Date: Tue, 15 Mar 2011 00:30:45 +0100
From: Florian Zeitz <florob@babelmonkeys.de>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110307 Lanikai/3.1.9
MIME-Version: 1.0
To: xmpp@ietf.org
References: <4D7E61BD.50804@collabora.co.uk> <4D7E9902.4020908@babelmonkeys.de> <4D7E9E39.4030900@stpeter.im>
In-Reply-To: <4D7E9E39.4030900@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 23:29:28 -0000

Am 15.03.2011 00:01, schrieb Peter Saint-Andre:
> On 3/14/11 4:38 PM, Florian Zeitz wrote:
>> I think there are 2 things in the draft that are actually wrong-ish:
>> a) It currently says "The initiating entity sets its reference
>> identifier to the 'to' address it communicates in the initial stream
>> header". I think that is somewhat backwards. The initiating entity does
>> not choose the domain to construct reference identifiers from based on
>> the 'to' attribute that it set, but it sets the 'to' attribute based on
>> the same domain it bases the reference identifiers of.
>
> I don't see a real difference between those two things.
>
It's really not a big deal. Basically currently it says that the 'to' 
attribute is said from the user input and the source domain is then set 
from the 'to' attribute. That seems like a strange layer of indirection, 
but I can certainly live with it.

>> b) I don't think the draft means "reference identifier" here. I think
>> what it actually is talking about is the "source domain" that it will
>> base reference identifiers of. I think once that is clarified the rules
>> for building a list of reference identifiers that are in
>> draft-saintandre-tls-server-id are sufficient.
>
> I think that's right, and changing "reference identifier" to "source
> domain" is a relatively small fix. The rules about reference identifiers
> are provided in Section 13.7.1.2.1.
>
I had hoped for that ;)

>> The later is certainly not sufficient as a source domain. That in turn
>> implies (IMHO) we will always have/want to set the 'to' attribute to the
>> JID's domainpart (and while the draft actually says to put a
>> "domainpart" there, it is not specific on where to get that from,
>> especially for the cases where you can't set a 'from', because you don't
>> know the JID beforehand). I'd therefore assume you'd not use the
>> user-entered FQDN as source domain, but I'd like some clarification on
>> that point, too.
>
> Here again I don't understand the concern.
>
> Let's say a connected client generates a stanza for sending to
> romeo@montague.net. The server strips off the localpart, throws away the
> at-sign, and thus has montague.net as the domain to which it will try to
> connect (i.e., perform FQDN resolution to get an IP address etc.).
> That's the domainpart the server derives from the stanza's 'to' address.
> Seems pretty straightforward to me, but perhaps it's not spelled out in
> exactly that many words.
>
I think that example only applies to S2S connections, right?
Specifically I'm wondering:
If a client connects to a server, just knowing the domain to connect to, 
but not the users JID what does it put as the 'to' attribute?
Depending on the answer to Stef Walter's original question that might be 
trivial to answer or not, it's either that very domain, or a domainpart 
that is not actually known to the client.

--
Florian Zeitz

v2.23.0 | Report a Bug | By Email