jdev - 2020-11-13

  1. o2 has joined

  2. Vaulor has left

  3. Wojtek has left

  4. adityaborikar has joined

  5. adityaborikar has left

  6. adityaborikar has joined

  7. NosoyHacker404 has left

  8. NosoyHacker404 has joined

  9. DebXWoody has joined

  10. Yagizа has joined

  11. marc0s has joined

  12. debacle has joined

  13. Vaulor has joined

  14. paul has joined

  15. Beherit has left

  16. Beherit has joined

  17. Alex has joined

  18. floretta has left

  19. DebXWoody has left

  20. Vaulor has left

  21. SouL has left

  22. adityaborikar has left

  23. adityaborikar has joined

  24. Beherit has left

  25. Beherit has joined

  26. DebXWoody has joined

  27. adityaborikar has left

  28. adityaborikar has joined

  29. alex-a-soto has left

  30. alex-a-soto has joined

  31. kikuchiyo has joined

  32. kikuchiyo has left

  33. Zash has joined

  34. goffi has joined

  35. Vaulor has joined

  36. SouL has joined

  37. alacer has left

  38. alacer has joined

  39. marc has joined

  40. marc has left

  41. marc has joined

  42. goffi has left

  43. goffi has joined

  44. mac has joined

  45. mac has left

  46. DebXWoody has left

  47. Yagizа has left

  48. Yagizа has joined

  49. DebXWoody has joined

  50. DebXWoody has left

  51. DebXWoody has joined

  52. DebXWoody has left

  53. DebXWoody has joined

  54. defanor

    If a user sets server host name and port manually, and the address (A/AAAA) record chosen to connect to it passes DNSSEC validation, is it okay to perform DANE TLSA verification against that manually provided host name?

  55. debacle has left

  56. flow

    defanor, you don't perform TLSA verification against the provided host name, you perform it against the provided xmpp service name

  57. flow

    e.g. user configures his jid to be "user@example.org" and host name to be "enterprise.example.org", then you would perform TLSA verification against "example.org"

  58. goffi has left

  59. sonny has left

  60. defanor

    But with SRV records it would be "enterprise.example.org", according to <https://tools.ietf.org/html/draft-ietf-dane-srv-14#section-3.3>, so it seemed to me that with a manually provided host name it would be similar, since it more or less replaces SRV.

  61. flow

    this only talks about the TLSA DNS query (/lookup)

  62. flow

    i.e., it says that you want to lookup the TLSA record on the SRV target

  63. defanor

    Indeed. I thought I've read in one of the related RFCs that it allows to use certificates for different domains on different servers, but probably misunderstood something; re-reading the RFCs. And GnuTLS's dane_verify_session_crt seems to only assume a single domain name, not one for the certificate and one for TLSA. Still, what are the required conditions to use DANE with a manually provided host?

  64. flow

    defanor, dunno, but I could imagine that you do the TLSA lookup on the user provided DNS name

  65. marc has left

  66. edhelas has left

  67. edhelas has joined

  68. defanor

    https://tools.ietf.org/html/rfc7673#section-6 -- if I'm reading it right, with DANE-EE there's no constraints on certificate's identifier, and with DANE-EE it could be either service/source or target server/derived domain. Or am I misinterpreting it?

  69. defanor

    "and with non-DANE-EE", rather.

  70. Zash


  71. mac has joined

  72. Zash

    https://tools.ietf.org/html/rfc7712#section-5.1 even

  73. flow

    defanor, yes, that appears right. but the problem is the "and/or" part in RFC7673 § 6. as most APIs only take one identifier as input (sure you could invoke the verify() method multiple times)

  74. flow

    personally, if in doubt, I would always use the XMPP service name and not the DNS name of the discovered/expliclity configured host for verification

  75. Zash

    Yeah, you start with the identifier you got from the user. Only use something if it can be securely derived from that.

  76. debacle has joined

  77. alex-a-soto has left

  78. alex-a-soto has joined

  79. mac has left

  80. mac has joined

  81. mac has left

  82. mac has joined

  83. raghavgururajan has left

  84. mac has left

  85. adityaborikar has left

  86. adityaborikar has joined

  87. mac has joined

  88. mac has left

  89. flow

    Zash, but in this case I get two identifiers from the user: the user's JID domainpart and the DNS name of the server hosting the XMPP service

  90. mac has joined

  91. Zash

    Hmm, rgiht

  92. Zash

    Hmm, right.

  93. alex-a-soto has left

  94. alex-a-soto has joined

  95. Beherit has left

  96. mac has left

  97. Beherit has joined

  98. goffi has joined

  99. marc has joined

  100. marc has left

  101. marc has joined

  102. adityaborikar has left

  103. adityaborikar has joined

  104. jonnj has left

  105. marc has left

  106. NosoyHacker404 has left

  107. adityaborikar has left

  108. adityaborikar has joined

  109. jonnj has joined

  110. wurstsalat has left

  111. wurstsalat has joined

  112. floretta has joined

  113. adityaborikar has left

  114. adityaborikar has joined

  115. NosoyHacker404 has joined

  116. marc has joined

  117. sonny has joined

  118. goffi has left

  119. adityaborikar has left

  120. adityaborikar has joined

  121. alex-a-soto has left

  122. alex-a-soto has joined

  123. adityaborikar has left

  124. adityaborikar has joined

  125. marc has left

  126. marc has joined

  127. Wojtek has joined

  128. alacer@blabber.im has joined

  129. alacer@blabber.im has left

  130. Beherit has left

  131. Beherit has joined

  132. stpeter has joined

  133. lovetox has joined

  134. Al@cer has joined

  135. Al@cer has left

  136. Al@cer has joined

  137. alacer has left

  138. Al@cer has left

  139. Wojtek has left

  140. Wojtek has joined

  141. adityaborikar has left

  142. adityaborikar has joined

  143. shachontal has joined

  144. Beherit has left

  145. Beherit has joined

  146. adityaborikar has left

  147. adityaborikar has joined

  148. ralphm has left

  149. ralphm has joined

  150. Beherit has left

  151. Beherit has joined

  152. raghavgururajan has joined

  153. shachontal has left

  154. shachontal has joined

  155. shachontal has left

  156. shachontal has joined

  157. shachontal has left

  158. marc has left

  159. DebXWoody has left

  160. zapb has left

  161. zapb has joined

  162. adityaborikar has left

  163. adityaborikar has joined

  164. DebXWoody has joined

  165. adityaborikar has left

  166. adityaborikar has joined

  167. marc has joined

  168. floretta has left

  169. floretta has joined

  170. ralphm has left

  171. ralphm has joined

  172. Beherit has left

  173. Beherit has joined

  174. ralphm has left

  175. ralphm has joined

  176. alacer has joined

  177. alacer has left

  178. floretta has left

  179. DebXWoody has left

  180. floretta has joined

  181. DebXWoody has joined

  182. DebXWoody has left

  183. DebXWoody has joined

  184. marc has left

  185. lovetox has left

  186. Yagizа has left

  187. lovetox has joined

  188. Alex has left

  189. lovetox has left

  190. marc has joined

  191. marc has left

  192. floretta has left

  193. jubalh has left

  194. stpeter has left

  195. floretta has joined

  196. jubalh has joined

  197. Wojtek has left

  198. test2 has joined

  199. alex-a-soto has left

  200. alex-a-soto has joined