[Standards] NEW: XEP-0219 (Hop Check)

Mridul Mridul.Muralidharan at Sun.COM
Fri Jun 1 11:57:45 CDT 2007 


Philipp Hancke wrote:
> XMPP Extensions Editor typeth:
>> URL: http://www.xmpp.org/extensions/xep-0219.html
> 
> Quoting parts of the XEP:
> 
>> As a user, I may want to know three things:
>>
>>   1. If my connection to my server is encrypted.
>>   2. If my server's connection to my contact's server is encrypted.
> 
> The hopcheck result in example 4 shows the state of my contact's server
> to my server.
> Unfortunately, XMPP S2S does not work the way your user expects.
> As a S2S connection is unidirectional , the results for both connections
> are needed, not only for the 'security' of my messages to my contact,
> but also for the 'security' of my contact's messages to me (including
> error bounces of my messages).
> 

Cant this not be handled in the current case spec itself ?

In : C1 <--> S1 <--> S2 <--> C2 case,
* If S1-S2 is insecure, S1 wont even forward to S2 and will return insecure.
* When request arrives at S2, if S2-C2 is insecure, return insecure
(else probe in case there are intermediaries).
* If S2-C2 is secure, S2 can respond with secure only if S2-S1 is secure.

Maybe we could clarify it this (or some better) way ...
Or do you have something else in mind ?


> The approach section needs to be updated to accommodate the
> encryption/authentication split.
> 
> Additionally, the protocol does not take into account the authentication
> of my contacts server to my server in the case of the outgoing s2s
> connection (i.e. from capulet to montague) and likewise for the backward
> s2s connection.
> 
> If my server recognizes that capulet uses a certificate which it
> does not trust or capulet uses a certificate which contains a
> CN/id-on-xmppAddr "Eve", the hop trust of this connection must be
> zero. Btw, the rfc3920 solution to this is to immediately terminate
> the connection?
> 

Well, it is only to check if the underlying transport in encrypted
(maybe we should add a note saying that tls negotiated must not be with
null cipher).
It does not say if it was trusted with dialback, cert identity, trusted
certs, etc. Just like it does not say if C2 used proper auth or just did
anonymous login.

My impression was, it just checks if the hops are secure and reasonably
free from security issues due to snooping.


Regards,
Mridul

More information about the Standards mailing list