[Security] e2e feedback

Peter Saint-Andre stpeter at jabber.org
Wed Mar 21 10:53:20 CDT 2007

Jakob Schroeter wrote:
> Hi all,
> On Tue Mar 13 2007, Peter Saint-Andre wrote:
>> We received some initial feedback from an IETF security guru regarding
>> encrypted sessions (XEP-0116 etc.). He thinks that, based on our
>> requirements, we could simply re-use TLS semantics in XMPP syntax rather
>> than define a completely new security protocol (which is considered to
>> be a bad idea). Essentially this would treat XMPP as the transport
>> layer, so instead of doing TLS over TCP (as we do for channel
>> encryption) we would do TLS over XMPP for encrypted sessions between
>> endpoints, where we communicate TLS primitives in XML syntax.
> I thought this was a very interesting idea when I first read this, especially 
> since I had most of the necessary infrastructure already in place in gloox. 
> So I sat down today and wrote a proof-of-concept of "XTLS".
> Basically, what I do is base64() TLS handshake data and encrypted payload and 
> wrap it into a <xtls/> element inside a <message/> stanza.

I'm not sure if IQ or message is right. But we can discuss that a bit.

> With some caching it is possible to reduce the TLS anonymous handshake to 4 
> stanzas in total: 2 client --> server, 2 server --> client. Without caching 
> it would be 4 more.
> This is with GnuTLS.
> Unfortunately, I didn't finish my XEP-0155 implementation for this, so this is 
> currently hard-coded in unit tests and a simple ping-pong example.

Yes, we'd need to see how XTLS works with XEP-0155. But that part should 
be fairly straightforward.

> This is in no way meant as a recommendation from a cryptographic point of 
> view, I'll leave that to more knowledgable people.

Thanks, that is helpful.


Peter Saint-Andre
XMPP Standards Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20070321/e73148b2/smime.bin

More information about the Security mailing list