On Wed Apr 2 16:53:27 2008, Boyd Fletcher wrote:
Over the last couple of years we have discussed various approaches
to add
digital signature support to XMPP that did not violate the XML
nature of
XMPP like RFC3923. We would like to propose a method of using W3C¹s
XML
Digital Signature specification. Below is description of how we use
the W3C
spec with XMPP. We have been using this approach for about 3 years
and it
seems to work quite well though it is a bit expensive in terms of
message
size but with digital signatures, I¹m not sure that can be avoided.
We are curious what other people think and if its worth moving
forward with
a XEP to formally describe the approach.
FX: Shuffling of hats - this is mostly as an Isode guy.
Based on a quick skim.
Internally at Isode, we have been tossing back and forth the idea of
using XTLS to provide end-to-end authentication via X.509
authenticated TLS channels. These need not be encrypted, but could
have integrity. The benefit here is that it dissociates the stanza
from the signature, and removes canonicalization, both of which are
quite nice. We need integrity-protected, authenticated channels
and/or stanzas for security labelling, as in our recent whitepaper.
On the other hand, this is probably a better mechanism, assuming that
sufficient implementation peices exist, and we're perfectly willing
to aim for this if possible.
It occurs to me that if the basic signature details (ie, everything
bar the ds:SignatureValue) used some other path, this might well be
preferable. XEP-0155 and/or Disco strike me as possible methods here.
These might reduce the size of the stanzas.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
