[Security] e2e feedback
Peter Saint-Andre
stpeter at jabber.org
Wed Mar 21 10:53:20 CDT 2007
Jakob Schroeter wrote:
> Hi all,
>
> On Tue Mar 13 2007, Peter Saint-Andre wrote:
>> We received some initial feedback from an IETF security guru regarding
>> encrypted sessions (XEP-0116 etc.). He thinks that, based on our
>> requirements, we could simply re-use TLS semantics in XMPP syntax rather
>> than define a completely new security protocol (which is considered to
>> be a bad idea). Essentially this would treat XMPP as the transport
>> layer, so instead of doing TLS over TCP (as we do for channel
>> encryption) we would do TLS over XMPP for encrypted sessions between
>> endpoints, where we communicate TLS primitives in XML syntax.
>
> I thought this was a very interesting idea when I first read this, especially
> since I had most of the necessary infrastructure already in place in gloox.
> So I sat down today and wrote a proof-of-concept of "XTLS".
>
> Basically, what I do is base64() TLS handshake data and encrypted payload and
> wrap it into a <xtls/> element inside a <message/> stanza.
I'm not sure if IQ or message is right. But we can discuss that a bit.
> With some caching it is possible to reduce the TLS anonymous handshake to 4
> stanzas in total: 2 client --> server, 2 server --> client. Without caching
> it would be 4 more.
> This is with GnuTLS.
>
> Unfortunately, I didn't finish my XEP-0155 implementation for this, so this is
> currently hard-coded in unit tests and a simple ping-pong example.
Yes, we'd need to see how XTLS works with XEP-0155. But that part should
be fairly straightforward.
> This is in no way meant as a recommendation from a cryptographic point of
> view, I'll leave that to more knowledgable people.
Thanks, that is helpful.
Peter
--
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20070321/e73148b2/smime.bin
More information about the Security
mailing list