[Security] Re: e2e feedback

Matthias Wimmer m at tthias.eu
Fri Mar 16 11:04:24 CDT 2007


Hi!

> We received some initial feedback from an IETF security guru regarding 
> encrypted sessions (XEP-0116 etc.). He thinks that, based on our 
> requirements, we could simply re-use TLS semantics in XMPP syntax rather 
> than define a completely new security protocol (which is considered to 
> be a bad idea). Essentially this would treat XMPP as the transport 
> layer, so instead of doing TLS over TCP (as we do for channel 
> encryption) we would do TLS over XMPP for encrypted sessions between 
> endpoints, where we communicate TLS primitives in XML syntax.

I had this concern about defining a new cryptographic protocol as well
some time ago, when I asked Ian, why at all he is designing a completely
new protocol. I think it is a very good thing, that we got input from the
outside as well, that we should not do this.
While on the other hand I am not sure if mapping TLS on XMPP solves all
our problems. - At least for now. It may change when
draft-hajjeh-tls-sign-02.txt gets finished.

But still I keep saying that the protocol we are looking for is XML
Signature and XML Encryption, that have been defined by the W3C.
http://www.w3.org/Signature/
http://www.w3.org/Encryption/2001/
This are standards specially made to sign and encrypt XML data, so it is
exactly what we need. And even while I asked on the standards JID, nobody
could yet tell me, what would be a problem with this standards. (Maybe
beside, that some people just seem to want to create their own cryptographic
standard. But this is nothing that can be done by anyone, but just by a
group of people with review of even more people.)

So mapping TLS on top of XMPP might be one option for me, while I think we
should also very heavily consider the w3c standards for this. But with
XEP-0116 I am still very very sceptic.


Matthias



More information about the Security mailing list