[Standards-JIG] JEP-0124: possible security issues
Mridul.Muralidharan at Sun.COM
Tue Mar 14 08:58:47 UTC 2006
I would strongly argue with keeping contents within the body element
as xml itself : the actual packet data that is.
Not some encoded or encrypted version which is to be processed before it
can be passed on to server (or requires decoding at server) - unless
ofcourse it already is specified that way (like semantics of some
packets , etc).
So essentially , I am arguing against supporting TLS and SASL
encryption of the stream.
Is SASL encryption supported at the xmpp stream level btw ? I thought it
was not ...
Also , about HTTP-TLS ...
The spec seems to discourage this - is it envisioned that people will
use HTTP and upgrade to TLS ?
If not , then it might make client implementations simpler if we just
remove that section from JEP.
Specify that HTTP for potentially insecure and HTTPS for secure
Peter Saint-Andre wrote On 03/14/06 02:59,:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> In preparation for presenting JEP-0124 (HTTP Binding) to an appropriate
> security expert for review, I and others have been thinking a bit about
> security issues the spec might need to address. Here are a few:
> 1. Certificate checking / consistency
> See http://mail.jabber.org/pipermail/council/2006-March/001807.html
> 2. TLS: HTTP layer or XMPP layer?
> The spec says you SHOULD use channel encryption at the HTTP layer
> SHOULD NOT use channel encryption at the XMPP layer. It's probably
> less ambiguous to say MUST and MUST NOT here. If we leave the door
> open for doing TLS at the XMPP layer then we need to define how that
> would work (what do you put in the XML?). Better, I think, to use
> HTTPS or HTTP-TLS and be done with it.
> 3. SASL encryption?
> We need to specify whether it's OK to set up a SASL encryption layer
> (as some SASL mechanisms allow you to do). If so, what do you send in
> the XML? If not, then we need to say that.
> 4. Request IDs.
> Since request IDs may affect security, we probably need to say what
> to do if the Request ID hits the upper limit. Do you "wrap" back to
> some smaller value? If so, what?
> There's probably more I'm missing here, but I'll try to read the spec
> over again in detail soon.
> - --
> Peter Saint-Andre
> Jabber Software Foundation
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
More information about the Standards