[Security] XTLS

Peter Saint-Andre stpeter at jabber.org
Wed Mar 21 11:34:46 CDT 2007


Justin Karneges wrote:
> On Friday 16 March 2007 8:17 pm, Peter Saint-Andre wrote:
>> Justin Karneges wrote:
>>> If by XTLS you mean you want to define a usage of TLS (e.g. base64
>>> encoding segments of a TLS stream), then that shouldn't be scary at all.
>> Sure we'd have things like:
>>
>> <iq>
>>    <xtls xmlns='urn:xmpp:xtls'>base64</xtls>
>> </iq>
>>
>> The TLS stuff would all be base64-encoded, just hand it off to OpenSSL
>> and you're done. Sort of. :) We'd need to bubble the results up to the
>> XMPP application layer so the client knows when the negotiation is done.
>> And I'm sure there are subtleties. But that is the basic idea AFAICS.
> 
> I think you're done. :)  Running TLS over an IBB (or similar) stream is not 
> any different from running TLS over TCP, provided you don't have to fight 
> your TLS library very much.  The client knows when the TLS negotiation is 
> completed because the TLS library says so.

I don't know if we need IBB for that, why not put it in a dedicated 
namespace? IBB is general, xtls is more specific.

> If we went this route, I'd suggest simply starting an XML stream over the TLS 
> channel, and using that for stanza exchange.  Voila, e2e.

What exactly is the TLS channel? My understanding is that you'd exchange 
these <message><xtls>base64</xtls></message> stanzas to do the 
negotiation and then you'd have a TLS channel over XMPP, so all your 
comms with the other person would now be included in those <xtls/> 
elements. But probably I'm missing something -- would we use <xtls/> 
only for the negotiation? If so, then what?

Peter

-- 
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20070321/61d25920/smime-0001.bin


More information about the Security mailing list