Eric Rescorla wrote:
So, again, I think it would be best to separate two issues:(1) What style of authentication you want. (2) What protocol it's embodied in. I think we can all agree on the following: (1) You must have an operational mode that doesn't require certified public keys. (2) There needs to be some continuity of authentication mechanism so whatever manual authentication stage only needs to be done once. (3) The manual authentication stage should be as convenient as possible. (4) The system needs to work with Bots on the other end.
Thanks, that's helpful.
As I indicated in my blog post, http://www.educatedguesswork.org/2008/08/authentication.html there are a number of potential options, including fingerprints, passwords, and SAS. Each has some advantages and disadvantages, and it may be the case that you need to have multiple options. Speaking as someone who knows COMSEC but isn't really part of the XMPP community, I would encourage you to try to figure out what *style* of authentication you want and what the constraints are, and then ask what protocol best suits or can be made to best suit those needs.
The thinking behind ESessions and some of the discussion here indicates an interest in drop-dead-simple authentication so that your average user can experience the benefits of encryption. No CA-issued certs or PGP keys to manage, no fingerprint checking required, etc.
Personally I'm fine with fingerprint checking, which is especially easy if my contact has published a fingerprint to a web page. But not everyone has a web page. Besides, how do I know that the URL advertised in your electronic profile is really yours (couldn't your server modify your profile?). Some of this is solved in social ways (e.g., the URL for my blog is fairly well known, I post frequently to discussion lists and provide a link to a contact page, etc.), but for the average user it might not be feasible to check fingerprints.
As far as I can see, SAS requires checking out of band. But I might not even know how to contact you out of band -- e.g., via phone or encrypted email. Furthermore, the average user doesn't sign or encrypt their email. So we're left with the phone, which is not necessarily convenient (how do I find your phone number?) or secure (how do I know that the phone number in your electronic profile is really yours, how do I know what you're supposed to sound like if I've never talked with you?). And SAS doesn't help our automated friends (yes, "bots are people too!").
Passwords (a la SRP) are interesting. They require some shared context (e.g., the password is the name of that bar where we had a beer last week, the city where we first met, the last song released by a band we both like, the nickname of that weird guy in the chatroom). But typically people who are communicating over XMPP have some kind of shared context, whether that is gained from interacting IRL, communicating via email or web forums or blogs or IM, sharing some interest, etc. In the age of Facebook and (to some extent) a common worldwide culture, presumably some passwords could be guessed, but they could be made harder to guess if people really care to. Plus, I think that a mutual, shared passphrase feels familiar to people in a way that fingerprints and short authentication strings don't (it brings back memories of secret phrases among children and such). And bots could generate passphrases in some automated ways that I'm not creative enough to think of right now.
Anyway, those are some random musings. Maybe someone will find them helpful...
/psa
smime.p7s
Description: S/MIME Cryptographic Signature
