Hi, before updating the XML file I want to discuss changes to XEP-0189 Public Key Publishing here. This post/thread should be about keyinfo.
I want to replace KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig# to something self-defined. xmlsig is very complicated and developers know how to handle X.509 certificates in PEM format. There is also much better support for that in SSL libraries. On the downside my proposal is not so XMLish. This should also be used for XEP-0250. Proposal: <keyinfo xmlns='urn:xmpp:tmp:pubkey'> <x509 fingerprint='571b23d99892f4566017426e92c377288ed6c983'> <certificate> MIICXDCCAcWgAwIBAgIJAKBfLqul2lj3MA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV BAMUHmRtZXllckBqYWJiZXIuY29tXDJmdGVzdGNsaWVudDAeFw0wODA5MDYxOTI0 MjVaFw0wOTA5MDYxOTI0MjVaMCkxJzAlBgNVBAMUHmRtZXllckBqYWJiZXIuY29t XDJmdGVzdGNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwaRLyj7J /mmliYhjEwGnRGRs6gmcPaIywEK2QLFz6c3/RmRabYbIOE0iZ22D33TguSNQBWfd lweT3bBETUhd3yuCcqWO5Ptiq/6wulMlxVeV5mxwNP/IF94VPWj0jHbRJcU8ZhS4 UnX6R5q6OSfBGdUU4mYKdiaHpgqTAO9eeqUCAwEAAaOBizCBiDAdBgNVHQ4EFgQU b8touIdFuXF5clv2I/S1aOOFdN4wWQYDVR0jBFIwUIAUb8touIdFuXF5clv2I/S1 aOOFdN6hLaQrMCkxJzAlBgNVBAMUHmRtZXllckBqYWJiZXIuY29tXDJmdGVzdGNs aWVudIIJAKBfLqul2lj3MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA pA5tI1J9Qpn3jSoQctFksRLb2H3A48R3rU8/qnarwE/AyOvth3k3ulLEmhJBT+0S mVb6WzrZEA/2plu7DhR8ylhuvJv6cAEIN+TPha3yzO2P8uoVZf7hdunOhMLl2Z6w xEfiGI5X9OsaMeFOQa+B2C3uUVAMLbVV7Rp/qQkai1Y= </certificate> </x509> <signature fingerprint='428b1358a286430f628da23fb33ddaf6e474f5c5'> oMt+lwgGms8Ep9zBZMWteAy+LD/hZ7VzO4IiS2e+eQbSoyIF2Lh2257jX9dUJgD8 sr1XxMY7yYamorUY2SfzfBjKsvC4btAv7H4fCd6JEnH6PpkLifZ4Y5vZL7WAojqM wxLLCg420sVEuEJW56D/f+GWj+uvrQ/cAhKSx2mSY7o= </signature> </keyinfo> Fingerprint is the fingerprint of the X.509 certificate. Evey SSL lib should be able to provide this. Certificate is the certificate in PEM format. If I understand it correctly, the PEM format is the DER format encoded with Base64. The BEGIN CERTIFICATE and END CERTIFACE stuff from PEM was removed. The signature is created by calling the hash and sign function of my TLS library on everything between <certificate> and </certificate> without the whitespaces or line break. So, it is a signature of the PEM encoded certificate. This signature was transformed to Base64 after signing. The signature is optional and there can be more than one signature. Besides the certificate and the signature the keyinfo may also contain <revoked/> or <expired/>. In that case the key should not be used anymore. <keyinfo xmlns='urn:xmpp:tmp:pubkey'> <x509 fingerprint='571b23d99892f4566017426e92c377288ed6c983'> <certificate> ... </certificate> </x509> <signature fingerprint='428b1358a286430f628da23fb33ddaf6e474f5c5'> ... </signature> </revoked/> </keyinfo> Besides X.509 OpenPGP should also be supported. I had not looked into an implementation but I guess it would look similar. The signature is outside the x509 element to make it possible to sign OpenPGP keys with the the private key of a X.509 certificate and the other way around. I do not know how this list handles attachments so I put some test code to http://files.sachmittel.de/xep-0189.py This code contains the certificates and private keys used in this example. Dirk -- 'The Geek shall inherit the earth.' - Linus 5:5
