[Standards-JIG] stream restarts
stpeter at jabber.org
Fri Sep 15 17:44:55 UTC 2006
Matthias Wimmer wrote:
> Peter Saint-Andre schrieb:
>> Well, I talked about this with someone smarter than me (Joe Hildebrand),
>> who reminded me that we need the stream restarts in order to protect the
>> stream headers from man in the middle attacks (rewriting of 'to' and
>> 'from' addresses, etc.), at least (1) after TLS negotiation and (2)
>> after SASL negotiation when SASL negotiation involves installation of a
>> security layer. We don't need it after things like stream compression,
> Yeah, Joe already pointed that out to a reply to my mail. I had to agree
> with him as well.
> Someone telling me that it would be because of some libraries having
> problems else was that astonishing for me, that I did not think about
> other valid reasons to restart the stream.
> It seems also very common with other protocols, that they do a complete
> restart of their connection. (Well for SASL they most of the time do it
> only if a security layer has been established, but ...)
But I don't think we need it in JEP-0138.
Jabber Software Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards