On 14.02.2019 12:46, Evgeny wrote:
On Thu, Feb 14, 2019 at 2:20 PM, Wiktor Kwapisiewicz
<[email protected]> wrote:
SASL EXTERNAL has some practical issues, like client certs being sent
in cleartext [1] and the fact that for example Android requires lock
screen to be on to add client certs to the store not to mention
problems in browsers (browsers generally can do client certs but I'm
not sure if any XMPP server would do client cert handshake over
websockets).
[1] is solved via ESNI extension (IETF I-D in progress)
ESNI works well for servers that are hidden behind one big provider,
e.g. Cloudflare so that one host serves many customers, so it's not
possible to correlate the IP and the target host.
From my experience CDNs like Cloudflare are common with HTTP but not so
with XMPP. But I don't have any data to back this...
[2] you can use your own certificate storage without relying on
Android library
and w.r.t Web clients: adopting XMMP servers implementation is the
least of the problems.
I strongly advice to go a well-established certificate way without
re-inventing wheels just to solve momentary up-to-the-minute problems.
Certificate issuance using CSR would still have to be specified unless
there is some standard for getting certs issued for end-user client
certificates using CSRs and XMPP that I'm not aware of (like ACME for
server certs).
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
