[Standards-JIG] JEP-0124: possible security issues

Peter Saint-Andre stpeter at jabber.org
Mon Mar 13 21:29:53 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In preparation for presenting JEP-0124 (HTTP Binding) to an appropriate
security expert for review, I and others have been thinking a bit about
security issues the spec might need to address. Here are a few:

1. Certificate checking / consistency

   See http://mail.jabber.org/pipermail/council/2006-March/001807.html

2. TLS: HTTP layer or XMPP layer?

   The spec says you SHOULD use channel encryption at the HTTP layer
   SHOULD NOT use channel encryption at the XMPP layer. It's probably
   less ambiguous to say MUST and MUST NOT here. If we leave the door
   open for doing TLS at the XMPP layer then we need to define how that
   would work (what do you put in the XML?). Better, I think, to use
   HTTPS or HTTP-TLS and be done with it.

3. SASL encryption?

   We need to specify whether it's OK to set up a SASL encryption layer
   (as some SASL mechanisms allow you to do). If so, what do you send in
   the XML? If not, then we need to say that.

4. Request IDs.

   Since request IDs may affect security, we probably need to say what
   to do if the Request ID hits the upper limit. Do you "wrap" back to
   some smaller value? If so, what?

There's probably more I'm missing here, but I'll try to read the spec
over again in detail soon.

Peter

- --
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEFeRRNF1RSzyt3NURAiMyAJ46JMjAkV58bayGI++w2Oz838R9BACeJ0ES
WBoYq+vUObyJGW/SCAOji8g=
=0akp
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060313/a3cddecf/attachment.bin>


More information about the Standards mailing list