[Standards-JIG] JEP-0124: possible security issues
stpeter at jabber.org
Mon Mar 13 21:29:53 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
In preparation for presenting JEP-0124 (HTTP Binding) to an appropriate
security expert for review, I and others have been thinking a bit about
security issues the spec might need to address. Here are a few:
1. Certificate checking / consistency
2. TLS: HTTP layer or XMPP layer?
The spec says you SHOULD use channel encryption at the HTTP layer
SHOULD NOT use channel encryption at the XMPP layer. It's probably
less ambiguous to say MUST and MUST NOT here. If we leave the door
open for doing TLS at the XMPP layer then we need to define how that
would work (what do you put in the XML?). Better, I think, to use
HTTPS or HTTP-TLS and be done with it.
3. SASL encryption?
We need to specify whether it's OK to set up a SASL encryption layer
(as some SASL mechanisms allow you to do). If so, what do you send in
the XML? If not, then we need to say that.
4. Request IDs.
Since request IDs may affect security, we probably need to say what
to do if the Request ID hits the upper limit. Do you "wrap" back to
some smaller value? If so, what?
There's probably more I'm missing here, but I'll try to read the spec
over again in detail soon.
Jabber Software Foundation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards