Download presentation
Presentation is loading. Please wait.
Published byReynard Wright Modified over 9 years ago
1
XMPP Delegation draft-ietf-xmpp-dna-00 Jonas Lindberg, Google jonasl@google.com Stephen Farrell, NewBay software stephen.farrell@cs.tcd.ie (Based on work by Joe Hildebrand and Sean Turner)
2
Use Case Server-to-server security requires TLS authenticated identity matches XMPP server identity Some XMPP servers (“hosting provider”) want to act for many potential domains (“hosted domains”); some hosted domains want to delegate operation of their server to a hosting provider Implies many separate TLS connections are needed (and key pair messing) Goal is to provide a secure way for a domain to delegate operation of its XMPP server(s)
3
Plan Present three options disussed so far 1 from the -00 draft plus 2 from the list Attribute Cert approach XML delegation approach DNS delegation approach Produce a -01 documenting (some of) those based on feedback here WG can then decide how to proceed Drop/keep whichever -02 draft... WGLC
4
Attribute Cert Approach Hosted Domain owner issues X.509 AC (RFC 5755) saying Hosting Provider is its XMPP provider When required, hosting provider sends AC down s2s pipe so other end can validate delegation Pro: existing RFC, security fairly well understood and independent of DNSSEC Con: AC's are not that simple, lack of existing AC deployment & libraries
5
XML Delegation Approach Hosted domain puts a file accessible via HTTPS where file content names the Hosting provider How to revoke delegation? (Might involve reinventing ACs) Variations on how to name hosting provider Pro: simple Con: secure?, extra connection(s), hosted domain needs an online server (but not v. busy?)
6
DNS Delegation Approach Name hosting provider (host) in DNS below hosted domain _xmpp-delegate.tcp.im.example.com There *might* be a way to deploy without DNSSEC Pro: simple (depends on 2nd bullet above) Con: dependency on DNS security, with DNSSEC - dependency on DNS admin
7
Other Ideas Mentioned Hosted doman gets public key cert that can “only” be used for XMPP and give the hosting provider the private key Maybe a critical EKU extension or cert-policy But TLS library changes may be needed Out-of-band query to confirm DNS Ask https://xmpp.net (or more) as well as DNShttps://xmpp.net
8
Questions Use case ok? Any more important ones? One or more solutions required? Your thoughts appreciated on: AC approach File/XML approach DNS approach Timeline?
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.