[jdev] S2S security with TLS certificates?
Scott Cotton
wsc at mindowl.com
Mon Jul 31 10:23:22 CDT 2006
Hi all,
Another question from a newbie. I'm interested to know any pointers or
opinions about
using TLS certificates (with trust chains) as a means to authenticate the
originator of an
incoming s2s connection.
In particular, is it considered a feasible policy for an xmpp server to
accept
stanzas from an incoming s2s connection so long as the fqdn of the "from"
attribute of
the stanza matches the common name of the incoming server's certificate,
and that certifcate is valid and signed by a trusted certificate authority?
(of course assuming all else is ok for accepting the stanza)
RFC3920 talks about certificate handling mostly in the client-to-server
context,
and refers to an informational RFC (2818) for further information. That
document
also considers a client-server circumstance where the hostname (uri) is
known to
the client ahead of time. This does not seem the case when considering
an incoming server-server connection, in addition to the reversal of roles
(receiving
end wants to authenticate initiating end).
Maybe I'm missing something (please do tell if so). It seems like there
should
be some sort of middle ground between SASL and dialback, since dialback is
optional and SASL hard to coordinate for public federation. Maybe policy
w.r.t. TLS certificates or an SPF-like approach (see openspf.org), or
requiring dialback for publicly federated servers would be of interest.
Best Regards,
--
scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.jabber.org/jdev/attachments/20060731/81605ca8/attachment-0002.htm>
More information about the JDev
mailing list