Fwd: [Summit] The S2S discussion

0 views

Skip to first unread message

Seth Fitzsimmons

unread,

Jul 21, 2009, 11:04:05 AM7/21/09

to Pub...@googlegroups.com

I'm guessing that this I'd what Joe was excited about. I wasn't there,
so I have even fewer details.

seth

---------- Forwarded message ----------
From: Joe Hildebrand <hil...@gmail.com>
Date: Monday, July 20, 2009
Subject: [Summit] The S2S discussion
To: sum...@xmpp.org

The steps we just talked about:

Assume example.com is being hosted by google.com, and example.net
wants to connect to example.com.

1) Look up _xmpp-server._tcp.example.com -> talk.google.com:5269
2) TCP connect, start-tls, server offers certificate foo.google.com
(just for clarity, but SHOULD be talk.google.com)
3) X.509 verify is ok (times, CA signature, etc.), everything but subject
4) If TLS authorization had worked (cert subject matched example.com),
skip to step 10
5) If SRV record had been DNSSEC signed, and cert matched
talk.google.com, skip to step 10
6) Responder puts <assert from='example.com'/> in stream features
7) Initiator says "prove that you're example.com":
<prove-it to='example.com' from='example.net' id='prove1'/>
8) Responder says:
<proof from='example.com' to='example.net' id='prove1'>
Base64(PKCS12(Attribute Cert(
XMPP-Delegation: foo.google.com
proof revocation list: http://...
Full chain of certs to trust anchor that initiator trusts
)))
</proof>
9) verify proof (validity, chain, revocation, etc.) <fail/> if not,
(NOT FATAL to connection)
10) Initiator sends: <asserted/>
11) Initiator claims example.net (takes place of dialback and/or SASL EXTERNAL)
<assert from='example.net' to='example.com' id='assert1'/>
12) If responder doesn't trust cert from initator:
<prove-it/>
<proof/> (or <go-fish/>)
13) responder says:
<asserted/>

_______________________________________________
Summit mailing list
Event: http://xmpp.org/summit/summit7.shtml
Info: http://mail.jabber.org/mailman/listinfo/summit
Unsubscribe: Summit-un...@xmpp.org
_______________________________________________

Peter Saint-Andre

unread,

Jul 23, 2009, 1:32:57 PM7/23/09

to pub...@googlegroups.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe is writing a spec about it. Expect more details soon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEUEARECAAYFAkponskACgkQNL8k5A2w/vybZwCYsbegKV9jVm0M6Npz1CzsGRMy
PACg819z+SglFKZkCUYbiZdLn9zjOAU=
=Evcu
-----END PGP SIGNATURE-----

Reply all

Reply to author

Forward

0 new messages