[Standards] XEP 0124 section 9?

Ian Paterson ian.paterson at clientside.co.uk
Wed Feb 14 02:36:50 UTC 2007


Hi Steve,

I'm coming to the end of a major revamp of XEP-0124. It really needed 
it. Hopefully it will be released tomorrow. I'll try to clarify the 
points you made in the new version.

> I'd like to understand the recommendation against TLS negotiation 
> between the server and the client.  Doesn't having a two TLS 
> connections (Server to connection manager and connection manager to 
> client) make the connection manager a tempting injection point for 
> MITM attacks since the connection manager must decrypt and re-encrypt 
> data?  While using multiple encryption methods can sometimes lead to 
> unpredictable results, using TLS twice should be safe in this context.
> TLS session negotiation, while nowhere near as secure as an 'Esession' 
> and does not provide protection within the server, is at least 
> commonplace.

Your concerns are valid. However constrained clients typically can't do 
TLS, and most XMPP servers have native XEP-0124 support now (i.e. the 
connection manager is part of the server).

What do you have in mind? Base64 encode the binary TLS stream and wrap 
it inside children of XEP-0124's <body/> elements?

- Ian




More information about the Standards mailing list