On 10/20/10 2:52 PM, Philipp Hancke wrote: > There is a minor problem with that from the XMPP-s2s POV: it does not > (explicitly) cover the case where a server verifies the identity of a > peer server (see rfc3920bis 6.2.4 or the s2s section of XEP 0178 for > details). > > AFAICS, the only difference is that the reference identifier is supplied > by the peer instead of being constructed as described in section 4.2. > > Therefore, I'd propose adding the following note to the end of section 4.1: > Note: Some application protocols such as XMPP perform the procedure > described in this section when verifiying a server identity in a > certificate presented by a TLS client. By this, and in contrast to the > procedure described in the next subsection, the reference identifier is > supplied by the peer (TLS client). Except for this and the inverted > client-server role, the verification process remains unchanged.
Thanks for the proposed text. I suggest the following tweaks: Note: In some application protocols, the procedure described in this section can be performed by an application server acting as a TLS client when verifying a server-to-server connection, not only by an application client when verifying a client-to-server (e.g, this is true of XMPP). In this case, the application server verifies the identity of the peer server that is attempting to connect and thereore the reference identifier is in essence supplied by the peer server (e.g., as triggered by a request to send a message from an associated with the peer server to an entity associated with the application service). Other than the source of the reference identifier and the inverted roles of the TLS client and TLS server, the verification process remains unchanged. /psa
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
