Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
Peter Saint-Andre <stpeter@stpeter.im> Tue, 15 March 2011 03:14 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 51E0A3A6B80 for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 20:14:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.605
X-Spam-Level:
X-Spam-Status: No, score=-102.605 tagged_above=-999 required=5 tests=[AWL=-0.006, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z69meIzwXL4h for <xmpp@core3.amsl.com>; Mon, 14 Mar 2011 20:14:31 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 2C1D43A697E for <xmpp@ietf.org>; Mon, 14 Mar 2011 20:14:31 -0700 (PDT)
Received: from squire.local (dsl-251-69.dynamic-dsl.frii.net [216.17.251.69]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id C1F744006D for <xmpp@ietf.org>; Mon, 14 Mar 2011 21:16:18 -0600 (MDT)
Message-ID: <4D7ED9E9.70501@stpeter.im>
Date: Mon, 14 Mar 2011 21:15:53 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: xmpp@ietf.org
References: <4D7E61BD.50804@collabora.co.uk> <4D7E9902.4020908@babelmonkeys.de> <4D7E9E39.4030900@stpeter.im> <4D7EA525.4050207@babelmonkeys.de> <4D7ED70C.7070708@stpeter.im>
In-Reply-To: <4D7ED70C.7070708@stpeter.im>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050605010709060804010708"
Subject: Re: [xmpp] Clarification of TLS Identity checking in draft-ietf-xmpp-3920bis
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2011 03:14:32 -0000
On 3/14/11 9:03 PM, Peter Saint-Andre wrote: > Sorry, I was in a hurry earlier. I've had another look at this now that > I have a bit more time... > > On 3/14/11 5:30 PM, Florian Zeitz wrote: >> Am 15.03.2011 00:01, schrieb Peter Saint-Andre: >>> On 3/14/11 4:38 PM, Florian Zeitz wrote: >>>> I think there are 2 things in the draft that are actually wrong-ish: >>>> a) It currently says "The initiating entity sets its reference >>>> identifier to the 'to' address it communicates in the initial stream >>>> header". I think that is somewhat backwards. The initiating entity does >>>> not choose the domain to construct reference identifiers from based on >>>> the 'to' attribute that it set, but it sets the 'to' attribute based on >>>> the same domain it bases the reference identifiers of. >>> >>> I don't see a real difference between those two things. >>> >> It's really not a big deal. Basically currently it says that the 'to' >> attribute is said from the user input and the source domain is then set >> from the 'to' attribute. That seems like a strange layer of indirection, >> but I can certainly live with it. > > In fact I think it's right as it is. Here's why: > > 1. First the initiating entity opens a stream to the receiving entity. > There is no security interaction yet. > > 2. The parties decide to negotiate TLS. Now the initiating entity > establishes its set of reference identifiers based on the source domain. > >>>> b) I don't think the draft means "reference identifier" here. I think >>>> what it actually is talking about is the "source domain" that it will >>>> base reference identifiers of. I think once that is clarified the rules >>>> for building a list of reference identifiers that are in >>>> draft-saintandre-tls-server-id are sufficient. >>> >>> I think that's right, and changing "reference identifier" to "source >>> domain" is a relatively small fix. The rules about reference identifiers >>> are provided in Section 13.7.1.2.1. >>> >> I had hoped for that ;) > > The right fix is: > > The initiating entity sets the source domain of its reference > ^^^^^^^^^^^^^^^^^^^^ > identifier to the 'to' address it communicates in the initial > stream header... Sorry, one more slight correction: "the source domain of its reference identifiers" (in the plural) because the initiating entity might have multiple reference identifiers (dNSName, SRVName, etc.). Peter -- Peter Saint-Andre https://stpeter.im/
- [xmpp] Clarification of TLS Identity checking in … Stef Walter
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Joe Hildebrand
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Justin Karneges
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Peter Saint-Andre
- Re: [xmpp] Clarification of TLS Identity checking… Florian Zeitz
- Re: [xmpp] Clarification of TLS Identity checking… Stef Walter
- Re: [xmpp] Clarification of TLS Identity checking… Stef Walter
- Re: [xmpp] Clarification of TLS Identity checking… Kevin Smith
- Re: [xmpp] Clarification of TLS Identity checking… Stef Walter