[Security] Re: e2e feedback

Justin Karneges justin at affinix.com
Tue Mar 13 16:05:59 CDT 2007


> based on our requirements, we could simply re-use TLS semantics in XMPP
> syntax rather than define a completely new security protocol

This is not such a bad idea.  A good example of an adapted TLS already in 
existence is DTLS (RFC 4347).  DTLS re-uses just about everything it can from 
TLS, to provide security over an unreliable packetized session.  The basic 
difference from normal TLS is that packets may be dropped or be received out 
of order, and that there is a limitation in the maximum size of a payload 
(basically all UDP limitations, but beware of the security implications that 
come along with them).

Just to get the mind churning, we could use unmodified DTLS over XMPP quite 
easily.  Just base64 encode DTLS packets, and ship them off.

However, XMPP doesn't suffer from as many limitations as UDP.  We have no hard 
limit on stanza size, and packets are not delivered out of order.  Thus, we 
may want to find middleground between DTLS and TLS.

Or... maybe TLS is enough?  We could establish a new <stream:stream> between 
client endpoints, over IBB, protected with TLS.  The protocol would end up 
looking almost the same as my base64'd DTLS suggestion.

-Justin


More information about the Security mailing list