Re: XMPP x.509 client cert managament

[Stef <stef-list memberwebs com>]

Arc Riley wrote:
> I've been talking to Adam tonight about adding support for
> publishing/managing client auth certs to an XMPP server.  Here's a
> background for why and how;

Cool. This would fit nicely with the new certificate support in
gnome-keyring.

> Seahorse already handles x.509 cert management and gkr.  

Yes, the support is growing all the time. gnome-keyring has recently
become much more solid in the handling of certificates an private keys.

> The interaction
> with clients is already taken care of.  The part I'm proposing to add is
> in interfacing with the XMPP server to publish and manage the
> certificates.  To do this in a short amount of code I'm going to need to
> add an XMPP client library as a "soft dependency".

Not sure I understand. Would the certificates be stored in XMPP?
Wouldn't the XMPP client just access the certificates and private keys
in the gnome-keyring private key store.

BTW, gnome-keyring uses the industry standard PKCS#11 API and exposes
it's key and cerificate store using that. So any program is compatible
with that API (including NSS and many crypto libraries) can use the keys
and certificates in there.

The primary goal I guess, would be for the XMPP clients would access
their private key and certificate in gnome-keyring, no?

> Adam suggested using the same library as Telepathy, to keep Gnome's
> dependency list small.  Telepathy currently uses loudmouth and are
> migrating away from it for the same reason we're moving away from it for
> our game engine.  There are many crappy XMPP client libraries in the
> community.  The original author of Icecast and an xmpp.org
> <http://xmpp.org> board member, Jack Moffitt, recently wrote a small
> (78k compiled, 7k lines of code) library called libstrophe to replace
> loudmouth.  I have a high degree of faith in Jack and will also note
> that seahorse's use of XMPP will be limited to logging in and publishing
> certs, getting a list of currently added certs, and removing them from
> the server.

Ah, I think I'm understanding better. This is for managing of the
certificates on the server. Is there a standardized protocol for this or
an RFC? Which servers implement this support?

> The other questions that are raised are what the UI for managing keys on
> the server.  Adam suggested reusing the keyserver results window with a
> context menu providing a "remove" option.  I don't know enough about how
> this would look to suggest an alternative, I'd just like the window not
> to be titled or otherwise present the listed keys as search results.

True, that could work.

Another way would be to design a special window for it. Similar in
concept to the current sending of SSH keys to another computer, but more
advanced. This may be clearer for users, as it's action oriented.

> This extension is an experimental draft, so in adding this functionality
> I'll be taking responsibility to update the code to reflect any changes
> in the protocol until the XEP is accepted (which may be years from now,
> many XEPs are supported in software before they're standardized).
> 
> http://xmpp.org/extensions/xep-0257.html

I imagine these aren't self signed certificates, right? An authority
would need to sign them, and that's seems outside the scope of the spec.
Does XMPP have it's own Enhanced Usage OID?

Looking forward to working with you on this.

BTW, sorry for the major delay in getting back to you. Somehow your
email was sorted strange in my folder :(

Cheers,

Stef