And my hard-laboured formatting got messed up. Flat, but harder to understand:
Initiator opens connection Target gets connection and presents certificate Initiator verifies certificate with IC -> Fail if invalid Initiator presents certificate Target verifies certificate -> Fail if invalid Success The point is, from what I can tell, TLS supports all of that. Sorry, my TLS literature isn't as good as some of the rest of you ;). > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Jonathan Dickinson > Sent: Thursday, August 21, 2008 4:37 PM > To: XMPP Security > Subject: Re: [Security] TLS-SRP Questions > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Eric Rescorla > > Sent: Thursday, August 21, 2008 4:13 PM > > To: XMPP Security > > Subject: Re: [Security] TLS-SRP Questions > > > > ... > > > > > > May be a n00b comment, but If we had verifiable certificates (via > an > > IC) the client is given the opportunity to present their certificate. > I > > am not sure how this works, all that I have to go on is that in .net > > TLS streams there is an event called PresentClientCertificate (or > > something along those lines). > > > > I'm not sure I understand the question... > > From what I can tell (I haven't gotten to using the API yet, other > things still to do on my server), a mutual exchange of certificates is > possible. Out of the scope of this document I would assume that means > that a client would be able to give their certificate to a server and > authenticate that way (the reason for SASL External I assume). > > In a similar fashion, if we use TLS XMPP IBB the initiator can be seen > as the client. Thus: > > Initiator --> TLS via XMPP --> Target -----\ > /-- Target <--- (Initiator certificate) <--/ > \--> Cert ok? --> (Target certificate) --\ > Success <-- Cert ok? <-- Initiator <-----/ > > Best viewed at 1024x768 in your console of choice ;). > > > > > -Ekr
