?

Log in

No account? Create an account

fanf

Oh bloody hell

« previous entry | next entry »
17th Jan 2006 | 16:18

I just got a phone call as a follow-up to today's IT Syndicate meeting. This was the meeting at which my paper on the Chat service was presented. I have been asked to give a talk to the IT Syndicate Technical Committee in two weeks to "enlighten them about Jabber", whatever that means. I've asked them to give me some specific questions they would like answered or to indicate which parts of my briefing paper that they would like me to expand on - I don't know if they want a speaking-to-managers or a speaking-to-techies talk.

But in any case, Bah! and Faugh! How long does this have to take? This started as a skunk works project in October, and I've now been waiting nearly three months to get permission to put _xmpp-{client,server}._tcp.cam.ac.uk SRV records in the DNS.

Update: Looks like it'll be a speaking-to-techies talk, probably including a protocol overview and stuff like that.

| Leave a comment | Share

Comments {6}

Keith Lard

from: keithlard
date: 17th Jan 2006 17:55 (UTC)

Please post slides then :>

Reply | Thread

The Wandering One

from: maxleon
date: 17th Jan 2006 23:09 (UTC)

Not really surprised about the reception at the Syndicate. They are usually quite reluctant to adopt new apps when the advantage to them is not obvious. Apart from technical, are they asking you for functional as well?

Reply | Thread

Tony Finch

from: fanf
date: 18th Jan 2006 10:36 (UTC)

They haven't asked me for anything explicitly, apart from a talk.

Reply | Parent | Thread

Roy

from: owdbetts
date: 19th Jan 2006 01:40 (UTC)

Out of curiousity, are you going to put _jabber._tcp.cam.ac.uk in your DNS too, to improve compatibility with legacy jabber servers, or are they pretty much non-existent these days?

Reply | Thread

Tony Finch

from: fanf
date: 19th Jan 2006 11:02 (UTC)

Yes. It's taking a while for everything to catch up with the XMPP changes, so I'll need both _xmpp-server and _jabber records for s2s. On the c2s end, clients frequently don't know about _xmpp-client records, so they will have to be configured with a server of chat.cam.ac.uk instead of being able to autoconfigure based on the user's JID.

The other evil area is TLS certificate verification. The IETF security wonks required the XMPP WG to specify a TLS cert format which is impossible to buy, because it requires the server identity to be recorded with an id-on-xmppAddr OID in an otherName entity inside the subjectAltName. As well as being unable to buy such a beast, there's no documentation about how to create one with OpenSSL - it involves such magic as defining new OIDs in openssl.conf, and beyond that I start to get lost.

(The IETF have perpetrated this stupidity for HTTP too: RFC 2818 says that the cert must identify the server using the dNSName (sic) entity inside the subjectAltName. At least OpenSSL knows about this OID, but still if you buy a certificate it'll use the cn just like certs from 10 years ago, and totally ignore these gratuitous new complexities.)

This is probably soluble by writing a JEP which says how Jabber software should handle de-facto standard cn certs :-)

There's also the question of what name to have in the cert you present to the client. XMPP says it must be the server's JID, i.e. the domain part of the user's JID, in my case cam.ac.uk. However traditional clients seem to check against the server name, in my case chat.cam.ac.uk. I can probably deal with this either by presenting different certs on ports 5222 (starttls, therefore new) and 5223 (tls-on-connect, therefore trad), or by pointing the _xmpp-client SRV record at a different address than chat.cam.ac.uk. Some interop testing will be required.

Reply | Parent | Thread

handling de-fact CN certs

from: anonymous
date: 24th Feb 2006 22:40 (UTC)

Your JEP is on the way: http://www.jabber.org/jeps/inbox/sasl-external.html

Reply | Parent | Thread