Scott Cotton wrote:
Hi all,Another question from a newbie. I'm interested to know any pointers or opinions about using TLS certificates (with trust chains) as a means to authenticate the originator of anincoming s2s connection.In particular, is it considered a feasible policy for an xmpp server to accept stanzas from an incoming s2s connection so long as the fqdn of the "from" attribute ofthe stanza matches the common name of the incoming server's certificate, and that certifcate is valid and signed by a trusted certificate authority? (of course assuming all else is ok for accepting the stanza)RFC3920 talks about certificate handling mostly in the client-to-server context, and refers to an informational RFC (2818) for further information. That document also considers a client-server circumstance where the hostname (uri) is known tothe client ahead of time. This does not seem the case when consideringan incoming server-server connection, in addition to the reversal of roles (receivingend wants to authenticate initiating end).Maybe I'm missing something (please do tell if so). It seems like there should be some sort of middle ground between SASL and dialback, since dialback is optional and SASL hard to coordinate for public federation. Maybe policy w.r.t. TLS certificates or an SPF-like approach (see openspf.org <http://openspf.org>), or requiring dialback for publicly federated servers would be of interest.
The recommended approach is TLS + SASL EXTERNAL. Essentially, once you do TLS with a trusted certificate, SASL EXTERNAL is pro-forma (you just point to the cert and say "use that"). So I don't see a need for something in between SASL and dialback. However, we do have a need for X.509 certificates that are easier for server administrators to obtain. I'm working on that with some existing certification authorities.
Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml
smime.p7s
Description: S/MIME Cryptographic Signature
