[Security] Re: e2e feedback

Peter Saint-Andre stpeter at jabber.org
Tue Mar 13 16:32:03 CDT 2007


Justin Karneges wrote:
>> based on our requirements, we could simply re-use TLS semantics in XMPP
>> syntax rather than define a completely new security protocol
> 
> This is not such a bad idea.  A good example of an adapted TLS already in 
> existence is DTLS (RFC 4347).  DTLS re-uses just about everything it can from 
> TLS, to provide security over an unreliable packetized session.  

Right. I was not creative enough to think of "XTLS" because I always 
thought that TLS was for transport layers like TCP and (with the DTLS 
modifications) UDP. We talk about XMPP as a transport technology, but 
it's at a different layer in the stack than TCP or UDP.

> The basic 
> difference from normal TLS is that packets may be dropped or be received out 
> of order, and that there is a limitation in the maximum size of a payload 
> (basically all UDP limitations, but beware of the security implications that 
> come along with them).
> 
> Just to get the mind churning, we could use unmodified DTLS over XMPP quite 
> easily.  Just base64 encode DTLS packets, and ship them off.
> 
> However, XMPP doesn't suffer from as many limitations as UDP.  We have no hard 
> limit on stanza size, and packets are not delivered out of order.  Thus, we 
> may want to find middleground between DTLS and TLS.

That seems to be the best way.

> Or... maybe TLS is enough?  We could establish a new <stream:stream> between 
> client endpoints, over IBB, protected with TLS.  

Yes, or that. And finally a use for IBB! :)

/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20070313/e9f12cd2/smime-0001.bin


More information about the Security mailing list