chris.mullins at coversant.net
Fri Mar 16 17:53:27 CDT 2007
My understanding of the XTLS is that we would take the existing TLS
algorithm, and map each step of that algorithm to an XMPP step, and do
that on a per-conversation basis. This would end up being similar to the
way we implemented SASL on XMPP- we took each step, wrapped some
XMPP-ish XML around it, and called it done.
TLS for me is a much more complex beast than SASL, and as a result, I
really don't want to implement a custom TLS library.
On the server side, we currently are able to take advantage of TLS hooks
in the operating system - this means that the O/S itself worries about
the actual encryption / decryption. If I drop in a rich network card
that has a DSP on it, that network card will actually handle the
encryption / decryption and keep my processor(s) happy.
There are also many round trips required to necogiate a TLS connection -
I don't remember the number, but it's in the 9 or 10 range. I don't know
of any existing libraries that would be a "drop in" solution to this
problem. Nothing would expose the right hooks at the right levels to
make this an easy implementation. Certainly for .Net this is the case
(Mentalis doesn't count - it's way to buggy, and no longer supported),
and I suspect it is for Java as well. The C/C++ guys might be able to
use OpenSSL, but it's certainly not a given.
On the other hand, if we go with an XmlEnc approach, the libraries to do
it are all done (at least in .Net / Java / C++). This is a huge win for
both client & server developers.
(As a quick side note) Another use case I would like to see is the MUC
use case. There are a few ways to go about this, some of which seem
better than others.
From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
Behalf Of Peter Saint-Andre
Sent: Friday, March 16, 2007 3:26 PM
To: security at xmpp.org
Subject: [Security] XTLS
In the XMPP Council meeting held earlier this week, Council member Chris
[13:52:55] <Chris Mullins> xTLS scares me to death.
[13:53:11] <Chris Mullins> I do NOT want to implement that, nor deal
with the implications of implementing it.
Chris, do you care to elaborate?
It might be helpful to have a stub document that shows what XTLS would
look like. I'll try to put something together soon, if only for my own
XMPP Standards Foundation
More information about the Security