Johansson Olle E wrote: > Now, in the case of client/user delegation, we could in theory > > * create a new key pair for the client - the device > > * sign the public key with the "user account"'s private key > > * in this signed document - regardless of format include a full jid > - basic jid and resource - of the client > * send the signed document to the server
That sounds similar to what I suggest some days ago. Since we need a way to revoke a key we should not use the internal X.509 certificate chain and create a small one in XMPP. We do not need a long chain, only one sign for a client key and we can use pubsub to handle it. For an earlier post from me (with a small modification): | <iq type='result' | to='[EMAIL PROTECTED]/garden' | from='[EMAIL PROTECTED]' | id='items1'> | <pubsub xmlns='http://jabber.org/protocol/pubsub'> | <items> | <item id='julietX509cert1hash'> | <key node='urn:xmpp:tmp:pubkey' type='user'> | <KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'> | <KeyName>julietX509cert1hash</KeyName> | This is the public part of me user key | </KeyInfo> | </key> | </item> | <item id='julietX509cert2hash'> | <key node='urn:xmpp:tmp:pubkey' type='client'> | <KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'> | <KeyName>julietX509cert1hash</KeyName> | This is a client key with signatures from my user key | </KeyInfo> | </key> | </item> | <item id='julietX509cert3hash'> | <key node='urn:xmpp:tmp:pubkey' type='client'> | <revoked> | This is a client key from a client I do no longer trust. | The revoke must also be signed by my user key | </revoked> | </key> | </item> | </items? | </pubsub> | </iq> This would help me handle all my client keys. > And yes, there was a lot of mushroom in the forest :-). Back to the > kitchen... Maybe my problem is deeper: we do not only have a lack of mushrooms in the city, we have a lack of forests :) Dirk -- A day without sun shine is like, you know, night.
