[jdev] x509 client authorization

[Justin Karneges]

On Monday 29 March 2004 10:26 am, Ian Stokes-Rees wrote:
> Justin Karneges wrote:
> > I have been able to authenticate using x509, but between servers.  It's
> > the same for clients though.
>
> OK, it seems like this happens automatically already, so I think I have
> done this as well, just by providing a combined public/private key PEM
> file to jabberd2.

Actually, I don't think jabberd2 supports server-to-server TLS.

> I understand that in principal, but the details are the important part.
>   I imagine the c2s.xml <authreg> section will require a number of
> changes, and possibly also the sm.xml <module> chains.  On the client
> side it is no longer just a matter of establishing an encypted SSL link
> between two hosts, but actually verifying the certificate trust chain
> back to a trusted CA.

Clients should already be verifying the server's certificate in this way, else 
they are insecure and/or broken.

If you want the client to authenticate to the server via a certificate (the 
reverse situation), then this means the _client_ has to present a 
certificate, and the _server_ has to verify it.

> Furthermore, I don't quite see how the whole thing fits together since
> servers are trusted to forward messages.  Without some fixed mapping of
> CA certificate to (probably a set of) JID (sort of like a CA signing
> policy file), and cryptographically signed jabber messages, I would have
> thought it was very easy for a rogue (or hacked) server to fabricate
> messages, since there is no user-user (or client-client, or JID-JID)
> certificate authentication.

Indeed, TLS is only between XML streams, not Jabber endpoints.  For end-to-end 
security, see your other thread on standards-jig.

-Justin