IETF Logo Mail Archive

Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis

Peter Saint-Andre <stpeter@stpeter.im> Tue, 15 March 2011 03:14 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 51E0A3A6B80 for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 20:14:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.605
X-Spam-Level:
X-Spam-Status: No, score=-102.605 tagged_above=-999 required=5 tests=[AWL=-0.006, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z69meIzwXL4h for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 20:14:31 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 2C1D43A697E for <xmpp@ietf.org>; Mon, 14 Mar 2011 20:14:31 -0700 (PDT)
Received: from squire.local (dsl-251-69.dynamic-dsl.frii.net [216.17.251.69]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id C1F744006D for <xmpp@ietf.org>; Mon, 14 Mar 2011 21:16:18 -0600 (MDT)
Message-ID: <4D7ED9E9.70501@stpeter.im>
Date: Mon, 14 Mar 2011 21:15:53 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: xmpp@ietf.org
References: <4D7E61BD.50804@collabora.co.uk> <4D7E9902.4020908@babelmonkeys.de> <4D7E9E39.4030900@stpeter.im> <4D7EA525.4050207@babelmonkeys.de> <4D7ED70C.7070708@stpeter.im>
In-Reply-To: <4D7ED70C.7070708@stpeter.im>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050605010709060804010708"
Subject: Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2011 03:14:32 -0000

On 3/14/11 9:03 PM, Peter Saint-Andre wrote:
> Sorry, I was in a hurry earlier. I've had another look at this now that
> I have a bit more time...
> 
> On 3/14/11 5:30 PM, Florian Zeitz wrote:
>> Am 15.03.2011 00:01, schrieb Peter Saint-Andre:
>>> On 3/14/11 4:38 PM, Florian Zeitz wrote:
>>>> I think there are 2 things in the draft that are actually wrong-ish:
>>>> a) It currently says "The initiating entity sets its reference
>>>> identifier to the 'to' address it communicates in the initial stream
>>>> header". I think that is somewhat backwards. The initiating entity does
>>>> not choose the domain to construct reference identifiers from based on
>>>> the 'to' attribute that it set, but it sets the 'to' attribute based on
>>>> the same domain it bases the reference identifiers of.
>>>
>>> I don't see a real difference between those two things.
>>>
>> It's really not a big deal. Basically currently it says that the 'to'
>> attribute is said from the user input and the source domain is then set
>> from the 'to' attribute. That seems like a strange layer of indirection,
>> but I can certainly live with it.
> 
> In fact I think it's right as it is. Here's why:
> 
> 1. First the initiating entity opens a stream to the receiving entity.
> There is no security interaction yet.
> 
> 2. The parties decide to negotiate TLS. Now the initiating entity
> establishes its set of reference identifiers based on the source domain.
> 
>>>> b) I don't think the draft means "reference identifier" here. I think
>>>> what it actually is talking about is the "source domain" that it will
>>>> base reference identifiers of. I think once that is clarified the rules
>>>> for building a list of reference identifiers that are in
>>>> draft-saintandre-tls-server-id are sufficient.
>>>
>>> I think that's right, and changing "reference identifier" to "source
>>> domain" is a relatively small fix. The rules about reference identifiers
>>> are provided in Section 13.7.1.2.1.
>>>
>> I had hoped for that ;)
> 
> The right fix is:
> 
>    The initiating entity sets the source domain of its reference
>                               ^^^^^^^^^^^^^^^^^^^^
>    identifier to the 'to' address it communicates in the initial
>    stream header...

Sorry, one more slight correction: "the source domain of its reference
identifiers" (in the plural) because the initiating entity might have
multiple reference identifiers (dNSName, SRVName, etc.).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email