On 05/20/2011 04:15 AM, Glenn Maynard wrote: Hi,
> Web clients use a server-side helper to look up TXT records. I think > this requirement is well-understood. Glenn, the turn your problem definition makes here, makes your problem highly hypothetical. If you want to offer an 'open' webservice (there are some of those around), then it is much easier, reliable and safe (for more then one reason) to keep the connection manager in your own hands and let the connection manager connect to the appropriate XMPP server based on the SRV record. I am not aware of any BOSH deployment that has a server side helper to look up the TXT records to have the web client connect to it using CORS. In matter of facts, I am not aware of any BOSH deployment using CORS at all. I really have no idea what use case you have in mind when you say the TXT records are a problem for browser based BOSH clients. The case I see is only relevant in a laboratory. The bottom line is: for web based BOSH clients the DNS TXT record is irrelevant. > Part of service discovery is the XMPP server continuing the chain of > trust, telling you which BOSH server it vouches for. If the discovery > mechanism is insecure, the chain of trust is broken. Using a > discovered BOSH server is no more a "leap of faith" than anything else > built on the notion of chain-of-trust--the entire Internet, > essentially. Exactly. And because (except for the proposal of Dave) TLS can't help here, DNSSEC is the next best thing. Like it or not. > Sure there's a way out of it: use a discovery mechanism that doesn't > depend on DNS, as I gave one example of. > >> Why on earth would you want to connect using BOSH when you can connect >> directly? > > You use a server-side helper to do the discovery, exactly as you > already have to do with TXT lookups in web clients. As I said before: web clients don't discover BOSH services, not directly and not via a server-side helper. They connect to the associated connection manager. At most that connection manager discovers a XMPP service (and in most cases they don't). If you think otherwise, please give me a use case that has a live outside the laboratory. A fat client that can do a lookup over plain XMPP doesn't need to connect using BOSH. So the only use case for discovering BOSH services, a fat client that can't do plain XMPP for whatever reason, is locked out by your proposal. >> Well, that argument more or less prevents *any* hosted XMPP solution. If >> the hosting party doesn't want to carry certificates for all domains >> they host, then no secure connections are possible, with or without BOSH. > > Not at all. With the mechanism I just explained, the BOSH server only > needs its own TLS certificate. Users of the server (people who own > their own domains pointing at it) only need to run a "stub" XMPP > server capable of TLS and the above discovery mechanism. > > Not to say that's ideal, of course--lots of people own domains and can > set up DNS records but can't run an XMPP "stub" server, and it's more > complex to implement. I didn't say it was a great solution--it just > demonstrates that it's possible. It just demonstrates you invented a solution that is far more complex, harder to implement, harder to deploy and that is by far more error prone then activating your DNSSEC. And if you want an easier solution without DNSSEC: run your own connection manager. Or even more easy: don't use BOSH at all... > I wonder if it'd be possible to stick a TLS certificate chain and a > signature in TXT records, next to _xmppconnect. This would allow > signing discovery records, without adding new trust dependencies (it > uses the same certificate you already have), without depending on > DNSSEC, and it'd be fully backwards-compatible. Will have to do some > research... Singing your DNS-records with a TLS certificate? Sounds like rolling out an alternative to DNSSEC that is discarding the goodies of DNSSEC. Anyway, I know you dislike DNSSEC and I won't hide the fact that I like it. But starting a fight over DNSSEC is not very relevant here. Can you please tell what you tried to accomplish, when you ran into the problem with the validation of the BOSH discovery? With such a use case, we can look for solutions. Without it, we are talking about theoretical issues that are only relevant in the laboratory. And I promise I will respect your disliking of DNSSEC and not shout immediately "DNSSEC is the answer". best wishes, Winfried
