[Standards] NEW: XEP-0219 (Hop Check)

Philipp Hancke fippo at goodadvice.pages.de
Wed May 30 20:34:13 UTC 2007


XMPP Extensions Editor typeth:
> URL: http://www.xmpp.org/extensions/xep-0219.html

Quoting parts of the XEP:

 > As a user, I may want to know three things:
 >
 >   1. If my connection to my server is encrypted.
 >   2. If my server's connection to my contact's server is encrypted.

The hopcheck result in example 4 shows the state of my contact's server
to my server.
Unfortunately, XMPP S2S does not work the way your user expects.
As a S2S connection is unidirectional , the results for both connections
are needed, not only for the 'security' of my messages to my contact,
but also for the 'security' of my contact's messages to me (including
error bounces of my messages).

The approach section needs to be updated to accommodate the
encryption/authentication split.

Additionally, the protocol does not take into account the authentication
of my contacts server to my server in the case of the outgoing s2s 
connection (i.e. from capulet to montague) and likewise for the backward
s2s connection.

If my server recognizes that capulet uses a certificate which it
does not trust or capulet uses a certificate which contains a 
CN/id-on-xmppAddr "Eve", the hop trust of this connection must be
zero. Btw, the rfc3920 solution to this is to immediately terminate
the connection?




More information about the Standards mailing list