On 23 Apr 2013 07:56, "Daniele Ricci" <daniele.ath...@gmail.com> wrote: > Yes I use them for authentication. In my case, I just need to verify > if one or more signatures are present on the client's public key > (signature that a server can recognize as valid). After that, > server iterates through all certificate uids, searching for a special > "token" on the comment field (e.g. "kontalk" or something like that, > maybe "xmpp" or "jabber" or "jabber|domain.com", maybe we could define > a XEP for that? [2]); the e-mail field will be the client's Jabber ID (of > course verifications to the e-mail field are made too just in case [1]). I > still have to find a use for the name field... I guess it can be used > as a "public name", since jabber IDs in my case are a bit "hard to > remember" (<sha1 hash>@kontalk.net). >
I suspect Hannes was asking how you decide if the claimed authorization identifier is acceptable, rather than how you decide what the claimed authorization identifier is. So in X.509 terms, the peer provides a certificate, and you assemble a chain back to a known trust anchor (typically a public CA, by walking back through the issuers). If that chain looks good (and if the other parameters on the certificate, such as expiry, are OK, and if the certificate has not been explicitly revoked, and so on) then you trust the certificate, and can use the identifier information within it (Subject Alternative Names, or the Subject DN itself, typically extracting CommonNames in ways that leave me queasy) to decide on an identifier. XEP-0178 - which we should probably look at again sometime - mostly discusses how to use the SASL EXTERNAL mechanism with XMPP. You can leave the authorization identifier in the SASL mechanism empty, and instead use the stream from, which seems more correct these days - although whether it works reliably I don't know. This is all particularly useful in the case whether the certificate contains multiple identifiers, ambiguous identifiers (like wildcards) or no identifiers at all. You've given how to extract identifiers from PGP keys, which seems useful, but not how each party might decide to trust the key at all. Dave.