> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Eric Rescorla > Sent: Thursday, August 21, 2008 4:13 PM > To: XMPP Security > Subject: Re: [Security] TLS-SRP Questions > > ... > > > > May be a n00b comment, but If we had verifiable certificates (via an > IC) the client is given the opportunity to present their certificate. I > am not sure how this works, all that I have to go on is that in .net > TLS streams there is an event called PresentClientCertificate (or > something along those lines). > > I'm not sure I understand the question...
>From what I can tell (I haven't gotten to using the API yet, other things >still to do on my server), a mutual exchange of certificates is possible. Out >of the scope of this document I would assume that means that a client would be >able to give their certificate to a server and authenticate that way (the >reason for SASL External I assume). In a similar fashion, if we use TLS XMPP IBB the initiator can be seen as the client. Thus: Initiator --> TLS via XMPP --> Target -----\ /-- Target <--- (Initiator certificate) <--/ \--> Cert ok? --> (Target certificate) --\ Success <-- Cert ok? <-- Initiator <-----/ Best viewed at 1024x768 in your console of choice ;). > > -Ekr
