Over the last couple of years we have discussed various approaches to add digital signature support to XMPP that did not violate the XML nature of XMPP like RFC3923. We would like to propose a method of using W3C¹s XML Digital Signature specification. Below is description of how we use the W3C spec with XMPP. We have been using this approach for about 3 years and it seems to work quite well though it is a bit expensive in terms of message size but with digital signatures, I¹m not sure that can be avoided.
We are curious what other people think and if its worth moving forward with a XEP to formally describe the approach. boyd details: We chose to use the W3C because its standardized, well understood, and widely implemented. We were not planning to address how the public keys between the users are exchanged or how the certificates are validated. A digital signature is encapsulated in the <ds:Signature/> element. This signature element is a child element of either <message/>, <presence/>, <iq/>. A client or server would use JID in XMPP stanzas to lookup a client's X509 certificate. When multiple certificates are available for that JID, the <ds:KeyName/> will identify which to use. The <ds:KeyName/> carries a X509 fingerprint which is a MD5 digest of the X509 certificate and formatted as hex characters, each byte separated by a colon. For example, <ds:Key-Name>94:01:67:A6:45:70:B3:AD:8D:A3:8D:B9:2F:46:AA:52</ds:KeyName> A digitally signed IQ stanza. Note this does cause a slight incompatibility with the current IQ schema as we would like to put the digital signature as a 2nd child node of IQ to make it consistent with message and presence stanzas. <iq xmlns="jabber:client" from="[EMAIL PROTECTED]/TransVerse" id="MUCServiceInterface.roomInfo16" to="[EMAIL PROTECTED]" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query><x xmlns="jabber:x:tstamp" tstamp="2008-03-11T17:36:18.150Z"></x> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonicaliz ationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Trans form> <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>FVBU+ucCf8bPWdiJbo7RXXGJhcI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> usN4/Zb+eufe8lOIGez+TuxEiVGwOg3QZNzzx1Ld6fKBjYIIgB2Z9X1KuGkrWbrqcQg5EvOyhopa RkgaWyRNtbYT6h2uw8C6af07iWR5Plwiv36r8Fiutcyx+ZSRzzF03uL8KfuKOvgerhjUS/ntAmHa zvMrE37A5N39h/S6ZZIGZrmK2/2JxZRKEdnQtmgLMrccmfgmCUrSSEgs52kQ1Bt7PB5PW2Lxoj04 T5lU92o2f4QIxqLkND+rHYY09KzG28Vb9ImXg0vfhs1oWqP5j5HtxGoNfJ1eXQIQt/Mk9NOQFUHa Zh8pwvfjbWeY2z7FW5x2RuYFGnpkd9OphBSwNw== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDwzCCAqugAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpDELMAkGA1UEBhMCVVMxGDAWBgNVBAoT D1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxDjAMBgNVBAsTBUNE Q0lFMR8wHQYDVQQDExZyZWwtY2cucmVsLmplLmpvaW50LnVzMS4wLAYJKoZIhvcNAQkBFh9jb2Fs bG9nMUByZWwtY2cucmVsLmplLmpvaW50LnVzMB4XDTA4MDIxOTE5NTczN1oXDTA5MDIxODE5NTcz N1owgaQxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0Rv RDEMMAoGA1UECxMDUEtJMQ4wDAYDVQQLEwVDRENJRTEfMB0GA1UEAxMWcmVsLWNnLnJlbC5qZS5q b2ludC51czEuMCwGCSqGSIb3DQEJARYfY29hbGxvZzFAcmVsLWNnLnJlbC5qZS5qb2ludC51czCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOsouVSsIFZMqQOYCBiDgyfQG3g2Z47MDm+e qhJ1xqcvZfrvuIg/wPGYxiA/C3WOXN/aMmoTHkapP0K/wtXQQ4Csm1D7iwkN4UnKlccoh7EwqAOi 0ED+PGxjP8JB5VxDib6SWUKA0acE5NAgX0PX/KaMG1rrl5wDsFUtpt5r8j6RSx95ARGlYBZQWuWd NBuy03vukiyuIT5fbSVqPKU9NCQIvJTjNFgemECdyQanrFdqQR8oBWXZ9uoWHa5+lKrnYWHHTUE/ ylTd05nlW725w9aNGFbkZNh/eYPOFtUuDOtxC7Uu2ii+gaKbjDK5NcqJwM3XgfNgU9mykqvU4zGJ uukCAwEAATANBgkqhkiG9w0BAQQFAAOCAQEAmY+M5lV//+qL5JczL9vrdZCnxOxt3N3uw7JE4tIb +oHC+TMHxLPEGoLOSb6muTpDiKLDeJBsrFf3KkvhnJZyU+dF3OPutm2nI8r9KsXIzF/mWHBPbZOE HJHmenvR0v+7gcW4PJLQogb8sgdhIJmdo3ANPahppo+QyqDu4EeIFtf+qSNb7OA6EYDwNZCR67tO ApA9dEOHtkGEIdoHAdmzYu6uIP3EhmYRSGulVqaVBB6OZdoq6OPlh6ER90xeDba2O5t7GkdbKdD9 vN3Qo9ZUVY9KkOP5wYgW6lvaD1xKf9LM/Er9dEVrJFPtPJFVOuTZlGIfQGSVz70Grv1Dwc2cIw== </ds:X509Certificate> </ds:X509Data> <ds:KeyName>82:9D:A9:E4:0B:B2:A5:A2:77:D3:A5:D1:43:C0:79:CA</ds:KeyName> </ds:KeyInfo> </ds:Signature></iq> A digitally signed PRESENCE stanza <presence xmlns="jabber:client" from="[EMAIL PROTECTED]/TransVerse" xml:lang="en" id="iq7DP-81" to="[EMAIL PROTECTED]/coallog1"><status>Online</status>< priority>0</priority><x xmlns="http://jabber.org/protocol/muc"></x><x xmlns="jabber:x:tstamp" tstamp="2008-03-11T17:36:19.338Z"></x><ds:Signature xmlns="jabber:client" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xml:lang="en"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonicaliz ationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Trans form> <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>+Ux4t7g6eXoNzYQdMlI5lnAuAfQ=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> 4bVVbgHaekPhBVAeDm8Fku6kLLiyy3Duvhy5BaJ9QDN4qyC7kwqxjd3SFzQ4NxtGqno1/QEjJBwG 371fTzxsYMBjSsDVSU2JdGJttsNs9vVF5CHvvqVugnHFBt2LQWaPKfxGLI9aEGwCrkkmtdMMGMBz 3q/JUzbG0PeG41SzUXpvnpiC/4PmhJv2G5pjrVXRTOyyi6DbeQY9bVOrcD4annwPKcSlAVvXOsRR k6VhxtwTXqDl9/jOyktMfiFYcAQzyi6xvKRY/KBbybUhie9Mq5f1O88AJipr4+B2u8pNyCDvGNiW zRuzG4bw7QlXuKUH8PcWDVbtXcXE+aJELTucwg== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDwzCCAqugAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpDELMAkGA1UEBhMCVVMxGDAWBgNVBAoT D1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxDjAMBgNVBAsTBUNE Q0lFMR8wHQYDVQQDExZyZWwtY2cucmVsLmplLmpvaW50LnVzMS4wLAYJKoZIhvcNAQkBFh9jb2Fs bG9nMUByZWwtY2cucmVsLmplLmpvaW50LnVzMB4XDTA4MDIxOTE5NTczN1oXDTA5MDIxODE5NTcz N1owgaQxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0Rv RDEMMAoGA1UECxMDUEtJMQ4wDAYDVQQLEwVDRENJRTEfMB0GA1UEAxMWcmVsLWNnLnJlbC5qZS5q b2ludC51czEuMCwGCSqGSIb3DQEJARYfY29hbGxvZzFAcmVsLWNnLnJlbC5qZS5qb2ludC51czCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOsouVSsIFZMqQOYCBiDgyfQG3g2Z47MDm+e qhJ1xqcvZfrvuIg/wPGYxiA/C3WOXN/aMmoTHkapP0K/wtXQQ4Csm1D7iwkN4UnKlccoh7EwqAOi 0ED+PGxjP8JB5VxDib6SWUKA0acE5NAgX0PX/KaMG1rrl5wDsFUtpt5r8j6RSx95ARGlYBZQWuWd NBuy03vukiyuIT5fbSVqPKU9NCQIvJTjNFgemECdyQanrFdqQR8oBWXZ9uoWHa5+lKrnYWHHTUE/ ylTd05nlW725w9aNGFbkZNh/eYPOFtUuDOtxC7Uu2ii+gaKbjDK5NcqJwM3XgfNgU9mykqvU4zGJ uukCAwEAATANBgkqhkiG9w0BAQQFAAOCAQEAmY+M5lV//+qL5JczL9vrdZCnxOxt3N3uw7JE4tIb +oHC+TMHxLPEGoLOSb6muTpDiKLDeJBsrFf3KkvhnJZyU+dF3OPutm2nI8r9KsXIzF/mWHBPbZOE HJHmenvR0v+7gcW4PJLQogb8sgdhIJmdo3ANPahppo+QyqDu4EeIFtf+qSNb7OA6EYDwNZCR67tO ApA9dEOHtkGEIdoHAdmzYu6uIP3EhmYRSGulVqaVBB6OZdoq6OPlh6ER90xeDba2O5t7GkdbKdD9 vN3Qo9ZUVY9KkOP5wYgW6lvaD1xKf9LM/Er9dEVrJFPtPJFVOuTZlGIfQGSVz70Grv1Dwc2cIw== </ds:X509Certificate> </ds:X509Data> <ds:KeyName>82:9D:A9:E4:0B:B2:A5:A2:77:D3:A5:D1:43:C0:79:CA</ds:KeyName> </ds:KeyInfo> </ds:Signature></presence> A digitally signed MESSAGE stanza <message xmlns="jabber:client" from="[EMAIL PROTECTED]/TransVerse" xml:lang="en" id="iq7DP-82" to="[EMAIL PROTECTED]" type="groupchat"><body>Hello, here is a test message</body><x xmlns="jabber:x:tstamp" tstamp="2008-03-11T17:36:39.635Z"></x> <ds:Signature xmlns="jabber:client" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xml:lang="en"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonicaliz ationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Trans form> <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>Hqo9Q47nZsSR0hmEijPujc0Ix/Y=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> yylIVYLGfRMa/YIBO7LGqz5OfeJ7SfZX27cwZD+JhYybXvyzO5rbWnJDcPjS2yMmmzBQGL+MLFYm rbOxdaTD0p/zaK9ohUb8LBZPWx0fFR9EMUoEL/0O01yAoRvfbllCnG1HpHcI6BElcnDS03DxGVOi KfmxcGZBl9WPjoX70q2O6p2wB7sDMaeaKXy7vsysaaLAtnmxP42yXjd9zlESEtY4G50qkMzF84+Q R2Fb+Yt+2AOxNKTmUPJYtKpjXZg/fYlquoSeC2ft0ILF0e1+kFdfgaBYwVKamcygFasXNtagUgrN vIOTnr2HSOgGfDP59OkCOaR5xWrTMyJatjjWGw== </ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>82:9D:A9:E4:0B:B2:A5:A2:77:D3:A5:D1:43:C0:79:CA</ds:KeyName> </ds:KeyInfo></ds:Signature></message>