[Security] e2e feedback

Peter Saint-Andre stpeter at jabber.org
Tue Mar 13 15:16:14 CDT 2007


We received some initial feedback from an IETF security guru regarding 
encrypted sessions (XEP-0116 etc.). He thinks that, based on our 
requirements, we could simply re-use TLS semantics in XMPP syntax rather 
than define a completely new security protocol (which is considered to 
be a bad idea). Essentially this would treat XMPP as the transport 
layer, so instead of doing TLS over TCP (as we do for channel 
encryption) we would do TLS over XMPP for encrypted sessions between 
endpoints, where we communicate TLS primitives in XML syntax.

I have not yet had the time investigate this approach, but I will look 
into the possibility before tomorrow's meeting of the XMPP Council. The 
relevant spec is RFC 4346:

http://www.ietf.org/rfc/rfc4346.txt

The good thing about this approach is that it would, I think, be 
immediately palatable to the IETF. I doubt that people could re-use 
existing TLS libraries directly since our syntax would be different, but 
conceptually the approaches would be the same.

Peter

-- 
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20070313/56341877/smime.bin


More information about the Security mailing list