jdev - 2020-11-13


  1. o2 has joined
  2. Vaulor has left
  3. Wojtek has left
  4. adityaborikar has joined
  5. adityaborikar has left
  6. adityaborikar has joined
  7. NosoyHacker404 has left
  8. NosoyHacker404 has joined
  9. DebXWoody has joined
  10. Yagizа has joined
  11. marc0s has joined
  12. debacle has joined
  13. Vaulor has joined
  14. paul has joined
  15. Beherit has left
  16. Beherit has joined
  17. Alex has joined
  18. floretta has left
  19. DebXWoody has left
  20. Vaulor has left
  21. SouL has left
  22. adityaborikar has left
  23. adityaborikar has joined
  24. Beherit has left
  25. Beherit has joined
  26. DebXWoody has joined
  27. adityaborikar has left
  28. adityaborikar has joined
  29. alex-a-soto has left
  30. alex-a-soto has joined
  31. kikuchiyo has joined
  32. kikuchiyo has left
  33. Zash has joined
  34. goffi has joined
  35. Vaulor has joined
  36. SouL has joined
  37. alacer has left
  38. alacer has joined
  39. marc has joined
  40. marc has left
  41. marc has joined
  42. goffi has left
  43. goffi has joined
  44. mac has joined
  45. mac has left
  46. DebXWoody has left
  47. Yagizа has left
  48. Yagizа has joined
  49. DebXWoody has joined
  50. DebXWoody has left
  51. DebXWoody has joined
  52. DebXWoody has left
  53. DebXWoody has joined
  54. defanor If a user sets server host name and port manually, and the address (A/AAAA) record chosen to connect to it passes DNSSEC validation, is it okay to perform DANE TLSA verification against that manually provided host name?
  55. debacle has left
  56. flow defanor, you don't perform TLSA verification against the provided host name, you perform it against the provided xmpp service name
  57. flow e.g. user configures his jid to be "user@example.org" and host name to be "enterprise.example.org", then you would perform TLSA verification against "example.org"
  58. goffi has left
  59. sonny has left
  60. defanor But with SRV records it would be "enterprise.example.org", according to <https://tools.ietf.org/html/draft-ietf-dane-srv-14#section-3.3>, so it seemed to me that with a manually provided host name it would be similar, since it more or less replaces SRV.
  61. flow this only talks about the TLSA DNS query (/lookup)
  62. flow i.e., it says that you want to lookup the TLSA record on the SRV target
  63. defanor Indeed. I thought I've read in one of the related RFCs that it allows to use certificates for different domains on different servers, but probably misunderstood something; re-reading the RFCs. And GnuTLS's dane_verify_session_crt seems to only assume a single domain name, not one for the certificate and one for TLSA. Still, what are the required conditions to use DANE with a manually provided host?
  64. flow defanor, dunno, but I could imagine that you do the TLSA lookup on the user provided DNS name
  65. marc has left
  66. edhelas has left
  67. edhelas has joined
  68. defanor https://tools.ietf.org/html/rfc7673#section-6 -- if I'm reading it right, with DANE-EE there's no constraints on certificate's identifier, and with DANE-EE it could be either service/source or target server/derived domain. Or am I misinterpreting it?
  69. defanor "and with non-DANE-EE", rather.
  70. Zash https://tools.ietf.org/html/rfc7712
  71. mac has joined
  72. Zash https://tools.ietf.org/html/rfc7712#section-5.1 even
  73. flow defanor, yes, that appears right. but the problem is the "and/or" part in RFC7673 § 6. as most APIs only take one identifier as input (sure you could invoke the verify() method multiple times)
  74. flow personally, if in doubt, I would always use the XMPP service name and not the DNS name of the discovered/expliclity configured host for verification
  75. Zash Yeah, you start with the identifier you got from the user. Only use something if it can be securely derived from that.
  76. debacle has joined
  77. alex-a-soto has left
  78. alex-a-soto has joined
  79. mac has left
  80. mac has joined
  81. mac has left
  82. mac has joined
  83. raghavgururajan has left
  84. mac has left
  85. adityaborikar has left
  86. adityaborikar has joined
  87. mac has joined
  88. mac has left
  89. flow Zash, but in this case I get two identifiers from the user: the user's JID domainpart and the DNS name of the server hosting the XMPP service
  90. mac has joined
  91. Zash Hmm, rgiht
  92. Zash Hmm, right.
  93. alex-a-soto has left
  94. alex-a-soto has joined
  95. Beherit has left
  96. mac has left
  97. Beherit has joined
  98. goffi has joined
  99. marc has joined
  100. marc has left
  101. marc has joined
  102. adityaborikar has left
  103. adityaborikar has joined
  104. jonnj has left
  105. marc has left
  106. NosoyHacker404 has left
  107. adityaborikar has left
  108. adityaborikar has joined
  109. jonnj has joined
  110. wurstsalat has left
  111. wurstsalat has joined
  112. floretta has joined
  113. adityaborikar has left
  114. adityaborikar has joined
  115. NosoyHacker404 has joined
  116. marc has joined
  117. sonny has joined
  118. goffi has left
  119. adityaborikar has left
  120. adityaborikar has joined
  121. alex-a-soto has left
  122. alex-a-soto has joined
  123. adityaborikar has left
  124. adityaborikar has joined
  125. marc has left
  126. marc has joined
  127. Wojtek has joined
  128. alacer@blabber.im has joined
  129. alacer@blabber.im has left
  130. Beherit has left
  131. Beherit has joined
  132. stpeter has joined
  133. lovetox has joined
  134. Al@cer has joined
  135. Al@cer has left
  136. Al@cer has joined
  137. alacer has left
  138. Al@cer has left
  139. Wojtek has left
  140. Wojtek has joined
  141. adityaborikar has left
  142. adityaborikar has joined
  143. shachontal has joined
  144. Beherit has left
  145. Beherit has joined
  146. adityaborikar has left
  147. adityaborikar has joined
  148. ralphm has left
  149. ralphm has joined
  150. Beherit has left
  151. Beherit has joined
  152. raghavgururajan has joined
  153. shachontal has left
  154. shachontal has joined
  155. shachontal has left
  156. shachontal has joined
  157. shachontal has left
  158. marc has left
  159. DebXWoody has left
  160. zapb has left
  161. zapb has joined
  162. adityaborikar has left
  163. adityaborikar has joined
  164. DebXWoody has joined
  165. adityaborikar has left
  166. adityaborikar has joined
  167. marc has joined
  168. floretta has left
  169. floretta has joined
  170. ralphm has left
  171. ralphm has joined
  172. Beherit has left
  173. Beherit has joined
  174. ralphm has left
  175. ralphm has joined
  176. alacer has joined
  177. alacer has left
  178. floretta has left
  179. DebXWoody has left
  180. floretta has joined
  181. DebXWoody has joined
  182. DebXWoody has left
  183. DebXWoody has joined
  184. marc has left
  185. lovetox has left
  186. Yagizа has left
  187. lovetox has joined
  188. Alex has left
  189. lovetox has left
  190. marc has joined
  191. marc has left
  192. floretta has left
  193. jubalh has left
  194. stpeter has left
  195. floretta has joined
  196. jubalh has joined
  197. Wojtek has left
  198. test2 has joined
  199. alex-a-soto has left
  200. alex-a-soto has joined