Presentation is loading. Please wait.

Presentation is loading. Please wait.

XMPP Delegation draft-ietf-xmpp-dna-00 Jonas Lindberg, Google Stephen Farrell, NewBay software (Based on work.

Published byReynard Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "XMPP Delegation draft-ietf-xmpp-dna-00 Jonas Lindberg, Google Stephen Farrell, NewBay software (Based on work."— Presentation transcript:

1 XMPP Delegation draft-ietf-xmpp-dna-00 Jonas Lindberg, Google jonasl@google.com Stephen Farrell, NewBay software stephen.farrell@cs.tcd.ie (Based on work by Joe Hildebrand and Sean Turner)

2 Use Case Server-to-server security requires TLS authenticated identity matches XMPP server identity Some XMPP servers (“hosting provider”) want to act for many potential domains (“hosted domains”); some hosted domains want to delegate operation of their server to a hosting provider Implies many separate TLS connections are needed (and key pair messing) Goal is to provide a secure way for a domain to delegate operation of its XMPP server(s)

3 Plan Present three options disussed so far 1 from the -00 draft plus 2 from the list Attribute Cert approach XML delegation approach DNS delegation approach Produce a -01 documenting (some of) those based on feedback here WG can then decide how to proceed Drop/keep whichever -02 draft... WGLC

4 Attribute Cert Approach Hosted Domain owner issues X.509 AC (RFC 5755) saying Hosting Provider is its XMPP provider When required, hosting provider sends AC down s2s pipe so other end can validate delegation Pro: existing RFC, security fairly well understood and independent of DNSSEC Con: AC's are not that simple, lack of existing AC deployment & libraries

5 XML Delegation Approach Hosted domain puts a file accessible via HTTPS where file content names the Hosting provider How to revoke delegation? (Might involve reinventing ACs) Variations on how to name hosting provider Pro: simple Con: secure?, extra connection(s), hosted domain needs an online server (but not v. busy?)

6 DNS Delegation Approach Name hosting provider (host) in DNS below hosted domain _xmpp-delegate.tcp.im.example.com There *might* be a way to deploy without DNSSEC Pro: simple (depends on 2nd bullet above) Con: dependency on DNS security, with DNSSEC - dependency on DNS admin

7 Other Ideas Mentioned Hosted doman gets public key cert that can “only” be used for XMPP and give the hosting provider the private key Maybe a critical EKU extension or cert-policy But TLS library changes may be needed Out-of-band query to confirm DNS Ask https://xmpp.net (or more) as well as DNShttps://xmpp.net

8 Questions Use case ok? Any more important ones? One or more solutions required? Your thoughts appreciated on: AC approach File/XML approach DNS approach Timeline?

Download ppt "XMPP Delegation draft-ietf-xmpp-dna-00 Jonas Lindberg, Google Stephen Farrell, NewBay software (Based on work."

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
SIP Session-ID draft-kaplan-sip-session-id-02 Hadriel Kaplan.

SIP Session-ID draft-kaplan-sip-session-id-02 Hadriel Kaplan.
Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.

Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.
SharePoint Apps for IT Pro

SharePoint Apps for IT Pro
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
L3vpn end-system draft Pedro Marques. Overview Defines a mechanism to associate an end- system virtual interface to an L3VPN. – Co-located forwarder:

L3vpn end-system draft Pedro Marques. Overview Defines a mechanism to associate an end- system virtual interface to an L3VPN. – Co-located forwarder:
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.

THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:
Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net

Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

Similar presentations

Ads by Google