Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis

[Florian Zeitz <florob@babelmonkeys.de>]

Am 15.03.2011 03:41, schrieb Peter Saint-Andre:
> I think you mean the kind of thing that is explained, in depth, in
> draft-saintandre-tls-server-id-check. I encourage anyone who has
> questions about these matters to please re-read that spec, because it
> discusses these matters in great detail.
>
> So yes, it is true that in some circumstances a user might configure his
> IM client with two things:
>
> 1. The domain name of the application service, which is the domainpart
> of his JID, such as romeo@montague.lit =>  montague.lit; this is the
> "source domain".
>
> 2. A "hardcoded" hostname that he has explicitly assocated with the
> domainpart of your JID, such as apps.shakespeare.lit; this is the
> "target domain".
>
> However, for the purposes of checking the identity of the application
> service when connecting via TLS, Romeo's client would check to see that
> the service presents a certificate that says it is "montague.lit"
> (unless he overrides the checks or explicitly approve of connecting to
> "apps.shakesepeare.lit").
>
> Please understand that 99% of users will never see such a configuration
> option and that they don't know anything about apps.shakespeare.lit or
> some special hostname that they're connecting to -- all that they know
> is that they're trying to connect to montague.lit (if they even know
> this, because lots of people just think that they're trying to connect
> to "Shakespeare" or even "that IM thing" -- if you doubt it, I recommend
> that you run your own public IM service, because it can be quite
> enlightening).
>
I agree this is the way to do it, having read the relevant bits again 
after some sleep I also agree it's clear from the draft(s), sorry about 
that.

>> Both are certainly valid options for checking against.
>
> Are they? From a user perspective, is montague.lit (the source domain)
> just as valid as apps.shakespeare.lit (the target domain)? Does the
> typical user understand that kind of delegation arrangement? Again, I
> suggest that they don't.
>
Usually this configuration is labeled something like "Connect to 
different server: Host: Port:".
I personally do expect some percentage of users to be confused by the 
fact that a client tries to verify motague.lit when explicitly told to 
connect to apps.shakespeare.lit. But that will also happen when trying 
to verify apps.shakespeare.lit while the domainpart is montague.lit, so 
that's not a solvable "issue".
It just needs to be clear which method is correct, which it is. Again 
sorry about that.

>> My reasoning was that since you have to use the domainpart of the JID
>> when doing SRV (I was not sure from reading the draft, but it seemed
>> sensible),
>
> What else would you use?
>
The SRV lookup's result, which I consider functionally equivalent to the 
user specifing a separate host to connect to.
And yes I *do* realize that would be an utterly stupid choice, that is 
why the "have to" is there.

>> it seems logical to do the same when the user specified a FQDN.
>
> In this case, if Romeo has explicitly approved of connecting to
> apps.shakespeare.lit then he has "pinned" the certificate to that
> domain, in which case it's fine for the server to check that identity in
> addition to "montague.lit". However, in general this is not a good idea
> because very few users understand the implications of such a configuration.
>
> In any case, nothing in this message requires any changes to either
> draft-ietf-xmpp-3920bis or draft-saintandre-tls-server-id-check.
>
> Peter
>