[jdev] TLS Everywhere

Dave Cridland dave at cridland.net
Mon Oct 28 17:12:47 UTC 2013


On Mon, Oct 28, 2013 at 3:23 AM, Peter Saint-Andre <stpeter at stpeter.im>wrote:

> Almost 15 years have passed since my friend Jeremie Miller released
> the initial version of the jabberd IM server, launching the Jabber
> open-source community and the technology we know today as XMPP. Yet,
> all that time, hop-by-hop encryption using SSL/TLS has been optional
> on the XMPP network. A number of server operators and software
> developers in the XMPP community have decided that needs to change for
> the better. Based on discussions at the XMPP Summit last week in
> Portland, Oregon, I have drafted a plan for upgrading the XMPP network
> to always-on, mandatory, ubiquitous encryption. You can find it here:
>

I'm basically all in favour of this, however last week we also discussed
resurrecting the "Jabber" mark for use as a descriptive label for what you
refer to above as "the XMPP network". As you're aware from my endless
discussion of this a week ago, I'm keen that we get a common strategy
together for discussing and describing the network we have to end-users -
so we can concentrate on supporting developers using XMPP, and end-users
using Jabber, and do both as effectively as possible.

I suspect this manifesto is the de-facto definition that network - and
that's a good thing, too. So I'd be keen to recast this in those terms -
but we would need to agree on the terms involved first, of course. I don't
think this is difficult. "The Jabber Network", an optional subtitle of
"powered by XMPP", and the original light-bulb logo seem fine to me. Then
you define the Jabber Network as being those servers adopting the policy
defined therein, with the provided timetable for adoption.

I'd be more content to have the policy split out from the manifesto,
though. I think they're distinct things, and moreover have a distinct
lifetime. The manifesto is going to be history by May 19th next year, but
the policy will very much live on, and probably change over its lifetime,
as best practise for security changes. So I'd expect it to adapt to
include, say, OTR, or something.

Ultimately, I think the policy will be complex enough to need a
specification of its own; right now, it essentially says (I think)
draft-saintandre-xmpp-tls + well-deployed-CA. I'm not absolutely sure,
because most items are worded differently; however I've gone through it and
matched up most of the bullet points.

I think personally that the policy belongs as a Best Practices XEP, and
shouldn't be trying to restate the Internet Draft at all. I appreciate that
there's an argument that there's no need to have the overhead of a XEP,
especially now when it would fit into two paragraphs at best, but it gives
the network a predefined framework for future maintenance, and the support
of the XSF's expertise in developing it.

And yes, I also appreciate that this means that the XSF "gains control" of
the technical aspects of the network, but I don't think this is a change at
all.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131028/dc955c30/attachment.html>


More information about the JDev mailing list