Well, the basic technology with a CA is not that hard. The legal part
and the trust part in upper layers are the tough issues to handle.
Let's just assume that the goal here is to build a small CA or web of
trust with a "user" identity in the top.
That identity and the binding to a JID is already created, either
controlled by the client or by the XMPP
domain admistrator.
-----------
To go back a few steps and try to explain a bit:
Everything starts with assymetric keys - one called private and one
called public. In PKI/CA systems, the public key and some
administrative data is encapsulated in a document called a
Certificate, that is inself signed by another entity like
any other document or software signed with a digital signature. They
create a hash of the document, encrypt that
with their private key and since we have their public key in our CA
certificate store, we approve of the digital
signature and thus approve of the public key.
After that, there is a challenge where we ask the other side to
encrypt a token with their private key, so that we
are assured that they have access to the private key. If we accept the
CA's digital signature of the X.509
signature, we accept the binding between the administrative data (user
name, server name, JID, e-mail address)
and the entity on the other end of the communications channel.
To summarize, you have
* the private key
* the public key
* A certificate, that binds an identity to the key pair
-----------
Now, in the case of client/user delegation, we could in theory
* create a new key pair for the client - the device
* sign the public key with the "user account"'s private key
* in this signed document - regardless of format include a full jid
- basic jid and resource - of the client
* send the signed document to the server
* Assuming that the server already has accepted the user's binding
between a JID and the key-pair,
the server now accepts the delegation from the user key pair to
the "client" key pair and adds the
fingerprint or the public key or the full document to a identity
store
* Now, the client connects using the client "cert" and is identified
as a client authorized for the
user's account with a fixed full jid
I am not aware how this fits into a traditional X.509/PKI structure,
but am sure that Simon can help
me there. This is definitely doable with PGP, it's just a small user-
based "web of trust".
With a solution along this lines, I could accept using those hosted
jabber solutions for iPhone
and not be afraid of losing my phone. And Dirk could delegate to a set-
top-box or something
else.
And yes, there was a lot of mushroom in the forest :-). Back to the
kitchen...
Cheers,
/O
