[Standards-JIG] Jingle vs. Zoep

Peter Saint-Andre stpeter at jabber.org
Fri Feb 10 02:11:00 UTC 2006

Hash: SHA1

Justin Karneges wrote:

> Jingle reminds me of SIMPLE, in that it is overstepping its boundaries.

Thanks for the compliment.

Now, shall we discuss some real issues?

1. Authenticated identities. XMPP has them, SIP doesn't. Yes,
authentication is OPTIONAL in SIP (since it was originally envisioned as
a peer-to-peer system, and has only more recently been shoehorned into a
client-server architecture in which clients auth with servers). How does
Zoep deal with that? There are major security concerns here.

2. Validated from addresses. XMPP has them, SIP doesn't. You can't trust
the from addresses in SIP. How does Zoep address that? Here again this
introduces all manner of security problems.

3. Mixing of XMPP and SIP addresses. The Zoep spec right now has things
like <sip:user at host/resource>. What is that? It doesn't look like a SIP
address to me, it looks like an XMPP address. (Though the SIP URI scheme
is so complicated that even SIP gurus cannot easily tell whether a SIP
URI is valid or not). There are also issues of internationalization here
(SIP addresses are US-ASCII only, how are our friends in East Asia going
to handle that?). Plus the Zoep folks need to clearly define what the
relationship is between XMPP addresses and (asserted) SIP addresses --
how does anyone know that the SIP addresses in the Zoep payload have
anything to do with the XMPP addresses on the stanzas? Or do we just
pass along the SIP stuff without doing any kind of validation? Since SIP
has many of the same problems as email in this regard (see #1 and #2
above), encapsulating raw SIP in an XMPP wrapper strikes me as similar
to sending email over XMPP.

4. Content validation. Some very significant adopters of XMPP like it
precisely because they can validate all the XML that flows across the
wire using standard XML tools. It is much more difficult to parse SIP as
it goes over the wire (yes, there are SIP-specific firewall products,
but they are specialized and expensive).

I know I posted these questions before but I haven't seen good answers
to them yet.


- --
Peter Saint-Andre
Jabber Software Foundation

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060209/a73e997a/attachment.bin>

More information about the Standards mailing list