[Security] Re: e2e feedback
Justin Karneges
justin at affinix.com
Tue Mar 13 16:05:59 CDT 2007
> based on our requirements, we could simply re-use TLS semantics in XMPP
> syntax rather than define a completely new security protocol
This is not such a bad idea. A good example of an adapted TLS already in
existence is DTLS (RFC 4347). DTLS re-uses just about everything it can from
TLS, to provide security over an unreliable packetized session. The basic
difference from normal TLS is that packets may be dropped or be received out
of order, and that there is a limitation in the maximum size of a payload
(basically all UDP limitations, but beware of the security implications that
come along with them).
Just to get the mind churning, we could use unmodified DTLS over XMPP quite
easily. Just base64 encode DTLS packets, and ship them off.
However, XMPP doesn't suffer from as many limitations as UDP. We have no hard
limit on stanza size, and packets are not delivered out of order. Thus, we
may want to find middleground between DTLS and TLS.
Or... maybe TLS is enough? We could establish a new <stream:stream> between
client endpoints, over IBB, protected with TLS. The protocol would end up
looking almost the same as my base64'd DTLS suggestion.
-Justin
More information about the Security
mailing list