[Standards-JIG] JEP-0124: possible security issues

Mridul Muralidharan Mridul.Muralidharan at Sun.COM
Tue Mar 14 08:58:47 UTC 2006


   I would strongly argue with keeping contents within the body element 
as xml itself : the actual packet data that is.
Not some encoded or encrypted version which is to be processed before it 
can be passed on to server (or requires decoding at server) - unless 
ofcourse it already is specified that way (like semantics of some 
packets , etc).

   So essentially , I am arguing against supporting TLS and SASL 
encryption of the stream.
Is SASL encryption supported at the xmpp stream level btw ? I thought it 
was not ...

Also , about HTTP-TLS ...
The spec seems to discourage this - is it envisioned that people will 
use HTTP and upgrade to TLS ?
If not , then it might make client implementations simpler if we just 
remove that section from JEP.
Specify that HTTP for potentially insecure and HTTPS for secure 


Peter Saint-Andre wrote On 03/14/06 02:59,:
> Hash: SHA1
> In preparation for presenting JEP-0124 (HTTP Binding) to an appropriate
> security expert for review, I and others have been thinking a bit about
> security issues the spec might need to address. Here are a few:
> 1. Certificate checking / consistency
>    See http://mail.jabber.org/pipermail/council/2006-March/001807.html
> 2. TLS: HTTP layer or XMPP layer?
>    The spec says you SHOULD use channel encryption at the HTTP layer
>    SHOULD NOT use channel encryption at the XMPP layer. It's probably
>    less ambiguous to say MUST and MUST NOT here. If we leave the door
>    open for doing TLS at the XMPP layer then we need to define how that
>    would work (what do you put in the XML?). Better, I think, to use
>    HTTPS or HTTP-TLS and be done with it.
> 3. SASL encryption?
>    We need to specify whether it's OK to set up a SASL encryption layer
>    (as some SASL mechanisms allow you to do). If so, what do you send in
>    the XML? If not, then we need to say that.
> 4. Request IDs.
>    Since request IDs may affect security, we probably need to say what
>    to do if the Request ID hits the upper limit. Do you "wrap" back to
>    some smaller value? If so, what?
> There's probably more I'm missing here, but I'll try to read the spec
> over again in detail soon.
> Peter
> - --
> Peter Saint-Andre
> Jabber Software Foundation
> http://www.jabber.org/people/stpeter.shtml
> Version: GnuPG v1.4.1 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> WBoYq+vUObyJGW/SCAOji8g=
> =0akp

More information about the Standards mailing list