[Standards] secure s2s multiplexing

Peter Saint-Andre stpeter at stpeter.im
Tue May 5 16:09:02 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5/5/09 9:58 AM, Philipp Hancke wrote:
> Peter Saint-Andre schrieb:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 5/5/09 12:38 AM, Philipp Hancke wrote:
>>> Peter Saint-Andre wrote:
>>>> Do you mean: when does an application decide that it would like to
>>>> request multiplexing for a given domain (rather than opening a new XML
>>>> stream)?
>>> yes. Rather than opening a new TCP connection actually.
>>
>> Correct. Isn't that up to the implementation or deployment?
> 
> Server implementors might come up with their own interpretations of
> "subdomain" and ignore DNS unless you specify it properly ;-)

I think that rfc3920bis doesn't even use the word subdomain anymore.

>>>>>>>>     * The multiplexing method must be backwards-compatible with
>>>>>>>> existing
>>>>>>>> server-to-server connection methods.
>>>>>>>>     * Each party to a server-to-server communication must be
>>>>>>>> able to
>>>>>>>> determine if the other party supports multiplexing.
>>>>>>> unidirectional or bidirectional s2s for this? For bidi we need a
>>>>>>> reverse-stream:features feature anyway.
>>>>>> I think this should make the stream bidirectional.
>>>>> If it is bidirectional, who can add new domains? But that is probably
>>>>> digging too deep already :-)
>>>> I would think that either side can add domains (if adding domains has
>>>> been negotiated).
>>> Might result in race conditions. One way to avoid that is a protocol
>>> where one side asks the other side to add the domain. Not that
>>> difficult to solve.
>>
>> What are the race conditions? I can add sending domains for my side and
>> you can add sending domains for your side. Now I suppose that if you try
> 
> What about adding receiving domains?

I hadn't considered that.

> Suppose I have domains A, B and you have X and we already have a
> stream established with domains A and X. If the stream is bidirectional,
> either of us could decide that he wants to open a "channel" for B,
> because I want to send as B or you want me to receive as B (for whatever
> reasons).

The concept of "you want me to receive as B" strikes me as weird. Do we
need that?

>> to add foo.com as a sending domain for you, and I try to add foo.com as
>> a sending domain for me, we have a problem. But presumably only one of
>> us will have appropriate credentials to send for foo.com, at least in
>> the typical s2s scenario (things might be different inside a cloud).
> 
> You make "cloud" sound like "Pandora's box".

Isn't it? :)

Peter

- --
Peter Saint-Andre
https://stpeter.im/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoAZJ4ACgkQNL8k5A2w/vzyNwCfVDEfELiHdPmpKAZd1WYZDbFY
pJwAn3nRlcSr2/GkGo2gENdUNeKiWU+0
=OqD2
-----END PGP SIGNATURE-----



More information about the Standards mailing list