[Standards] Proposed XMPP Extension: XMPP Transport Layer Security

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Thu Nov 1 22:13:00 UTC 2007


On Thursday 01 November 2007 2:49 pm, Peter Saint-Andre wrote:
> Justin Karneges wrote:
> > Most TLS libraries operate as a "black box", passing an opaque stream of
> > bytes to the application.  I'd suggest making the XEP have a more
> > transparent use of TLS to match this fact.  In other words, rather than
> > saying the first iq stanza must contain certain explicit TLS constructs
> > (e.g. ClientHello), just say it can contain any arbitrary TLS data, just
> > like how a real TLS stream over TCP works.  This would allow most
> > off-the-shelf TLS libraries, such as OpenSSL, to be used with XTLS. 
> > Since a stanza stream has TCP-like behavior, I think we can get away with
> > this.
> >
> > Of course, this would mean we'd lose the direct mapping between each
> > transported stanza and the content within.  For example, a single IM may
> > span multiple transported stanzas, or a single transported stanza may
> > contain multiple IMs.  However, I don't think having a direct mapping
> > buys us much at all, while having an opaque/transparent transport buys us
> > a *lot*.
>
> Well this gets back to what Tomasz said: why not have an opaque data
> transport? Whether you use it for XTLS or anything else is up to you.
>
> /me ponders

I think he was rather complaining about how whenever we desire to transport 
binary data we end up having to base64 encode it.  An efficient binary 
transport mechanism may be worth looking into, but it is a separate problem.

By the way, we have an opaque data transport: XEP-47 (IBB). :)

On that note, it might be worth using IBB for XTLS.  If we were to turn XTLS 
into an opaque transport, then XTLS would end up with a lot of IBB overlap.  
After all, it would just be shuffling Base64 around, and that's what IBB 
does.  What about the following:

Romeo requests XTLS:

<iq from='romeo at montague.lit/orchard'
    id='hs1'
    to='juliet at capulet.lit/chamber'
    type='set'>
  <xtls xmlns='http://www.xmpp.org/extensions/xep-xxxx.html#ns' sid='1234'/>
</iq>

Juliet agrees:

<iq from='juliet at capulet.lit/chamber'
    id='hs1'
    to='romeo at montague.lit/orchard'
    type='result'/>

Romeo negotiates IBB session:

<iq from='romeo at montague.lit/orchard'
    id='ibb1'
    to='juliet at capulet.lit/chamber'
    type='set'>
  <open sid='1234'
        block-size='4096'
        xmlns='http://jabber.org/protocol/ibb'/>
</iq>

Juliet accepts:

<iq from='juliet at capulet.lit/chamber'
    id='ibb1'
    to='romeo at montague.lit/orchard'
    type='result'/>

Romeo sends some TLS data:

<iq from='romeo at montague.lit/orchard'
    id='ibb2'
    to='juliet at capulet.com/balcony'
    type='set'>
  <data xmlns='http://jabber.org/protocol/ibb' sid='1234' seq='0'>
    base_64(TLS-Client-Hello-Message)
  </data>
</iq>

This pushes the transporting stuff out of XTLS, and also lets you use <iq> or 
<message> stanzas to transport the data.  XTLS reduces to a single iq 
exchange and some security notes...

-Justin



More information about the Standards mailing list