Re: [Standards] Proposed XMPP Extension: Client Certificate Management for SASL EXTERNAL
XMPP Extensions Editor wrote: The XMPP Extensions Editor has received a proposal for a new XEP. Title: Client Certificate Management for SASL EXTERNAL Abstract: This specification defines a method to manage client certificates that can be used with SASL External to allow clients to log in without a password. URL: http://www.xmpp.org/extensions/inbox/sasl-external-cert-handling.html The XMPP Council will decide at its next meeting whether to accept this proposal as an official XEP. This is quite sensible reminds me of an older IETF effort called SACRED (see RFC 3767 and friends). I've scanned the document and have some quick comments/questions: Example 4. Client revokes an X.509 Certificate Where is defined? [...] 3. SASL EXTERNAL The protocol flow is similar to the one described in XEP-0178. Only step 9 is different: the certificate does not need to be signed by a trusted entity if the certificate was uploaded by the user. The server still MUST reject the certificate if it is expired. The client certificate SHOULD include a JID as defined in sections 15.2.1.2. and 15.2.1.3. in rfc3920bis: a JID MUST be represented as an XmppAddr, i.e., as a UTF8String within an otherName entity inside the subjectAltName. I assume this proposal doesn't prevent use of properly certificates signed by a CA, which were not uploaded? 4. Security Considerations I think this XEP-to-be should REQUIRE at least use of TLS integrity protection and/or SASL security layer with integrity protection. Without that any man-in-the-middle that can inject data into a TCP stream can upload arbitrary certificates (for which he/she has the private key), so effectively giving himself/herself full access to the account.
[Standards] [Fwd: [Council] meeting minutes, 2008-12-03]
FYI. Original Message Date: Wed, 03 Dec 2008 15:07:51 -0700 From: Peter Saint-Andre <[EMAIL PROTECTED]> To: XMPP Council <[EMAIL PROTECTED]> Subject: [Council] meeting minutes, 2008-12-03 Results of the XMPP Council meeting held 2008-12-03... Agenda: http://xmpp.org/council/agendas/2008-12-03.html Log: http://logs.jabber.org/[EMAIL PROTECTED]/2008-12-03.html Scribe: Peter Saint-Andre 0. Roll call Present: Dave Cridland, Ralph Meijer, Jack Moffitt, Peter Saint-Andre, Kevin Smith. Quorum achieved. 1. Agenda bashing None. 2. XEP-0085 Discussed the suggested handling of threads and session-ending events. Dave proposed some text that we could add to XEP-0085, and there is agreement that we need to stabilize XEP-0201 regarding threads. 3. Message Mine-ing Lengthy discussion regarding possible approaches. Kevin will post to the standards@ list about his counter-proposal. 4. Jingle Council members encouraged to poke their favorite Jingle developers to get feedback during the Last Call on XEPs 166, 167, 176, and 177. There is a lively discussion on the jingle@ list right now. 5. Priorities for 2009 Agreement that the highest priorities are end-to-end encryption and file transfer. Some discussion of each. More to follow. 6. Any other business? None. 7. Next meeting. Wednesday, 2008-12-10 @ 20:00 UTC http://xmpp.org/xsf/XSF.ics /psa
[Standards] Proposed XMPP Extension: Security Labels in XMPP
The XMPP Extensions Editor has received a proposal for a new XEP. Title: Security Labels in XMPP Abstract: This document describes the use of security labels in XMPP. The document specifies how security label metadata is carried in XMPP, when this metadata should or should not be provided, and how the metadata is to be processed. URL: http://www.xmpp.org/extensions/inbox/security-labels.html The XMPP Council will decide at its next meeting whether to accept this proposal as an official XEP.
[Standards] Proposed XMPP Extension: Client Certificate Management for SASL EXTERNAL
The XMPP Extensions Editor has received a proposal for a new XEP. Title: Client Certificate Management for SASL EXTERNAL Abstract: This specification defines a method to manage client certificates that can be used with SASL External to allow clients to log in without a password. URL: http://www.xmpp.org/extensions/inbox/sasl-external-cert-handling.html The XMPP Council will decide at its next meeting whether to accept this proposal as an official XEP.
Re: [Standards] Message Mine'ing
Am 02.12.2008 um 22:58 schrieb Peter Saint-Andre: Right, and that gets back to the definition of threads and chat sessions, which we've never settled. Oddly, people seem to adjust quite well to the messy reality of not having neat definitions... When I find the time, I'll try to provide a diff for the two XEPs. Feel free to remind me of that if I forget to do it ;). -- Jonathan PGP.sig Description: This is a digitally signed message part
Re: [Standards] Message Mine'ing
2008/12/3 Dave Cridland <[EMAIL PROTECTED]>: > > So... My desktop gets a message: > > to='[EMAIL PROTECTED]/desktop-client'> >You still there? > > > But, sadly, I'm not there - I've walked into the ktchen to boil the kettle. > Luckily, I do have my mobile device upon me. My desktop client doesn't know > I'm not there, it only knows I've not yet waved my mouse upon the window, so > it's doing the orange-flashy-thing in my taskbar. (These things probably > have good, proper, names.) > > But, as well as that, it also does this: > > > > > count='1'/> > > > > Now, my other clients all see this, and can Ding accordingly, flash their > taskbar bits, or whatever else it is that they do. (They might do this only > after a short period, of course, but then, my desktop client might only send > out intra-jid presence updates after a short period, too). > Deja vu: s/message/Jingle session initiation/g -lauri
Re: [Standards] Message Mine'ing
On Wed Dec 3 10:20:12 2008, Dirk Meyer wrote: Dave Cridland wrote: > But, as well as that, it also does this: > > > > > > > If I'm in your roster, don't I get the presence update, too? No, this is directed presence, not a broadcast - note the to attribute - so it'll only go to your own jid. (But it goes to all resources, whatever the priority.) Dave. -- Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED] - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
Re: [Standards] Message Mine'ing
Dave Cridland wrote: > But, as well as that, it also does this: > > > > > > > If I'm in your roster, don't I get the presence update, too? And I would think: Ah, he is chatting with Peter again. Not good for privacy. Maybe I always wanted to know the JID of the Peter guy you so often chat with, now I know it. Dirk -- Five exclamation marks, the sure sign of an insane mind. -- (Terry Pratchett, Reaper Man)