wg-pic - Re: [wg-pic] Comments Requested: PIC Working Group Project Proposal
Subject: Presence and IntComm WG
List archive
- From: Peter Saint-Andre <>
- To: Dennis Baron <>
- Cc:
- Subject: Re: [wg-pic] Comments Requested: PIC Working Group Project Proposal
- Date: Thu, 01 Mar 2007 13:01:33 -0700
- Jabber-id:
- Organization: XMPP Standards Foundation
Dennis Baron wrote:
I'm not sure we should abandon the "we'll connect with anyone" model
altogether. But I think organizations should authenticate any
communications that comes from them.
What do you mean by "authenticate" in this context?
Well - my "SIP-head" will show through - so I think SIP Identity
(RFC4474) here - where the originating domain signs the request and
the recipients can verify the identity. I suspect this is easier with
XMPP and there's already similar functionality?
As far as I can see, identity is asserted in SIP. In XMPP, sender addresses are stamped by the sender's server (any address provided by the sender is overridden or, at the least, verified). The XMPP server must not accept a session unless the sender authenticates via one of the provided SASL mechanisms. The recipient's server must verify the identity of the sender's server, either via reverse DNS lookups (deprecated but still useful in certain situations) or SASL. It is also possible for the sender to sign what it sends to the server, but given the extremely low uptake for X.509 client certificates, that option is not seen in the wild. My impression is that you are most interested in the inter-domain authentication piece, which in XMPP is typically done via TLS + SASL EXTERNAL.
Peter
--
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: [wg-pic] Comments Requested: PIC Working Group Project Proposal, Peter Saint-Andre, 03/01/2007
Archive powered by MHonArc 2.6.16.