[Standards-JIG] RE: e2e

Jean-Louis Seguineau/EXC/ENG jean-louis.seguineau at antepo.com
Wed Apr 14 14:14:39 UTC 2004


All,

Thanks Peter for this thorough analysis, and once again I salute your
ability to mediate and harmonize on matter that are often passionate.

Beyond the details, I believe that we, at the jabber community, have to come
up with a thorough response to the underlying need for a proper way of
securing/authenticating conversations between entities. As Peter put it, I
don't think many in the jabber developer community will go and implement the
IETF draft as is. For many reasons, one being probably that this is a least
common denominator imposed upon XMPP to achieve partial compliance with past
initiatives at the IETF. The interoperability with SIMPLE simply does not
hold in this case, as there are initiatives in this community to use
specifications from the web service space.

When working together the JSF has achieved several striking successes in
defining standards that developers and commercial companies have implemented
in their XMPP products. MUC and PUB/SUB are certainly among these
achievements, just to name a few...

By looking at all these JEPs in the making, and at past proposals and the
accompanying threads, I believe we have a very good ground to produce a JSF
common stand on this security matter. As usual this would require proper
coordination, but some have already demonstrated their ability in the matter
(Peter ?). And once this is done we can push it as an alternative draft at
the IETF...

Best

Jean-Louis

-----Original Message-----

Message: 4
Date: Mon, 12 Apr 2004 17:31:34 -0500
From: Peter Saint-Andre <stpeter at jabber.org>
Subject: [Standards-JIG] e2e
To: standards-jig at jabber.org
Message-ID: <20040412223134.GC673 at jabber.org>
Content-Type: text/plain; charset=us-ascii

Several weeks ago, Justin Karneges submitted to the JEP Editor a 
proposal for "secure stanzas" with the intent that it be approved
for publication as a JEP:

http://www.jabber.org/jeps/inbox/secure.html

As JEP Editor, and in consultation with the Jabber Council, I have 
decided not to publish this proposal as a JEP. My reasons were stated
on the publicly-archived Council mailing list, but I shall restate 
them here for full disclosure.

Justin's proposal is substantially the same as version -02 of the
xmpp-e2e Internet-Draft:

http://www.jabber.org/ietf/attic/draft-ietf-xmpp-e2e-02.html

Serious and sustained concerns were raised about that Internet-Draft by
many members of the IETF community in the following email thread:

http://www.jabber.org/pipermail/xmppwg/2003-May/001039.html

The full thread is a matter of public record and can be reviewed at the
foregoing URL. In short, the IETF community was concerned that the
proposal could not be interoperable with other IETF technologies (mainly
IM systems based on SIP and using the CPIM syntaxes for messaging and 
presence), which would prevent true end-to-end encryption for instant
messaging and presence over the Internet.

Based on my experience working closely with the IETF over the last 2+
years, I think that for the JSF to publish Justin's proposal as a JEP 
would be seen as bad faith within the IETF: certainly as a breach of 
trust, and perhaps even as a violation of the IETF's intellectual 
property rights policy (note that the Internet-Draft referred to above 
is copyrighted by the IETF).

I fully and painfully realize that 98% of Jabber developers loathe the
xmpp-e2e protocol: it requires them to handle S/MIME (and multipart to
boot!), build CPIM parsers (of which none exist), potentially handle
arbitrary MIME types (since Message/CPIM allows that), etc. The entire
xmpp-e2e protocol is just not in harmony with the Jabber Way and is 
perceived by the developer community as damage, which is why we see 
continuing efforts to route around it, including Justin's proposal 
and JEP-0116. I realize that the likely outcome is this: no one will 
implement the xmpp-e2e Internet-Draft and developers will continue 
using JEP-0027 or move to something like JEP-0116, at least for
session-based communications.

I don't like any of this, and I'm not quite sure what to do about it. 
However, one thing I do know: publishing Justin's proposal as a JEP is 
not part of the solution.

BTW, draft-ietf-xmpp-e2e-07 is currently in IETF Last Call:

http://www1.ietf.org/mail-archive/ietf-announce/Current/msg00022.html

Please note that no one is forcing developers to implement that
protocol, should it be approved by the IESG. However, if you have
comments on draft-ietf-xmpp-e2e-07, now is the time to submit them
within the IETF.

As always, feedback is welcome.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php



------------------------------

_______________________________________________
Standards-JIG mailing list
Standards-JIG at jabber.org
https://jabberstudio.org/mailman/listinfo/standards-jig


End of Standards-JIG Digest, Vol 3, Issue 9
*******************************************




More information about the Standards mailing list