[Security] e2e feedback
Peter Saint-Andre
stpeter at jabber.org
Tue Mar 13 15:16:14 CDT 2007
We received some initial feedback from an IETF security guru regarding
encrypted sessions (XEP-0116 etc.). He thinks that, based on our
requirements, we could simply re-use TLS semantics in XMPP syntax rather
than define a completely new security protocol (which is considered to
be a bad idea). Essentially this would treat XMPP as the transport
layer, so instead of doing TLS over TCP (as we do for channel
encryption) we would do TLS over XMPP for encrypted sessions between
endpoints, where we communicate TLS primitives in XML syntax.
I have not yet had the time investigate this approach, but I will look
into the possibility before tomorrow's meeting of the XMPP Council. The
relevant spec is RFC 4346:
http://www.ietf.org/rfc/rfc4346.txt
The good thing about this approach is that it would, I think, be
immediately palatable to the IETF. I doubt that people could re-use
existing TLS libraries directly since our syntax would be different, but
conceptually the approaches would be the same.
Peter
--
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20070313/56341877/smime.bin
More information about the Security
mailing list