XSF Discussion - 2012-08-29

  1. Alex

    mail

  2. Alex

    ups sorry

  3. Alex

    each message comes twice here with the latest Psi version

  4. Zash

    stpeter, I've looked at DANE and DNA and stuff. It seems to be all about a client verifying a server that it's connecting to. Do you know if anyone tried dealing with the case where a server wants to auth an incoming client connection? I found some thread on the dane list, but it didn't lead anywhere.

  5. stpeter

    Zash: by "auth an incoming client connection" do you mean using SASL EXTERNAL and client certificates?

  6. Zash

    Yes

  7. Zash

    For s2s connections mainly

  8. stpeter

    ah, for s2s

  9. stpeter

    I added a bit of text about that to RFC 6125 IIRC, or maybe it just ended up in RFC 6120

  10. Zash

    in relation to DANE?

  11. stpeter

    no

  12. stpeter

    because DANE didn't exist back then :)

  13. Zash

    Right

  14. stpeter

    basically, in s2s each server would handle things mostly in the same way, because the connection needs to be validated in each direction -- hold for URL about some more specific text

  15. Zash

    The undefined bit seems to be where to look for a TLSA record when you have an incomming connection

  16. stpeter

    http://xmpp.org/rfcs/rfc6120.html#security-certificates-validation-server

  17. stpeter

    Zash: right

  18. stpeter

    Zash: Jeff Hodges and I need to update RFC 6125 to incorporate the thinking from DANE, but it was such a lot of work the first time around that we don't want to open the can of worms again