[jdev] S2S security with TLS certificates?

Peter Saint-Andre stpeter at jabber.org
Mon Jul 31 10:35:34 CDT 2006 

Scott Cotton wrote:
> 
> Hi all,
> 
> Another question from a newbie.   I'm interested to know any pointers or 
> opinions about
> using TLS certificates (with trust chains) as a means to authenticate 
> the originator of an
> incoming s2s connection.
> 
> In particular, is it considered a feasible policy for an xmpp server to 
> accept
> stanzas from an incoming s2s connection so long as the fqdn of the 
> "from" attribute of
> the stanza matches the common name of the incoming server's  certificate,
> and that certifcate is valid and signed by a trusted  certificate authority?
> (of course assuming all else is ok for accepting the stanza)
> 
> RFC3920 talks about certificate handling mostly in the client-to-server 
> context,
> and refers to an informational RFC (2818)  for  further information.  
> That document
> also considers a client-server circumstance where the hostname (uri) is 
> known to
> the client ahead of time.  This does not seem the case when considering
> an incoming server-server connection, in addition to the reversal of 
> roles (receiving
> end wants to authenticate initiating end).
> 
> Maybe I'm missing something (please do tell if so).  It seems like there 
> should
> be some sort of middle ground between SASL and dialback, since dialback 
> is optional and SASL hard to coordinate for public federation.  Maybe 
> policy w.r.t. TLS certificates or an SPF-like approach (see openspf.org 
> <http://openspf.org>), or requiring dialback for publicly federated 
> servers would be of interest.

The recommended approach is TLS + SASL EXTERNAL. Essentially, once you 
do TLS with a trusted certificate, SASL EXTERNAL is pro-forma (you just 
point to the cert and say "use that"). So I don't see a need for 
something in between SASL and dialback. However, we do have a need for 
X.509 certificates that are easier for server administrators to obtain. 
I'm working on that with some existing certification authorities.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20060731/c4990b23/attachment-0002.bin>

More information about the JDev mailing list