[Standards] UPDATED: XEP-0300 (Use of Cryptographic Hash Functions in XMPP)

Peter Saint-Andre stpeter at stpeter.im
Mon Feb 6 14:22:27 UTC 2012


Waqas, I've incorporated all of your feedback into the spec, and will
check it with my co-authors here at the XMPP Summit before pushing out a
revision.

On Fri, Dec 09, 2011 at 01:38:12AM +0500, Waqas Hussain wrote:
> On Tue, Dec 6, 2011 at 3:32 AM, Peter Saint-Andre <stpeter at stpeter.im> wrote:
> > On 12/5/11 3:16 PM, XMPP Extensions Editor wrote:
> >> Version 0.2 of XEP-0300 (Use of Cryptographic Hash Functions in XMPP) has been released.
> >>
> >> Abstract: This document provides recommendations for the use of cryptographic hash functions in XMPP protocol extensions.
> >>
> >> Changelog: Updated to reflect initial analysis of existing XMPP protocol extensions. (psa)
> >>
> >> Diff: http://xmpp.org/extensions/diff/api/xep/0300/diff/0.1/vs/0.2
> >>
> >> URL: http://xmpp.org/extensions/xep-0300.html
> >
> > Folks, I started to look at XEP-0300 in relation to existing extensions.
> > Please review my work so far, and do your own thinking about how useful
> > (or not useful) XEP-0300 is.
> >
> 
> I'm curious about the descriptive feature namespaces
> (urn:xmpp:hash-function-textual-names:md5)... I'm sure there is
> something behind not using urn:xmpp:hash:md5, or similar :)
> 
> Also, the encapsulating <hashes xmlns='urn:xmpp:hashes:0'/> element
> isn't really necessary, except for cases where only a single element
> is allowed (pubsub). I recall we were measuring bytes when defining
> entity caps in presence, which would suggest changing this protocol to
> more compact.
> 
> A consistent approach to hashes is a good thing. Changing widely
> deployed protocols is a bad thing. The nature of the XEP makes it
> awkward to use in many protocols (as noted at the end of this
> message). I'm -0 on this XEP.
> 
> Of the XEPs listed in XEP-0300 section 4.5, the widely deployed
> protocols are entity caps, vcard based avatars, and socks5
> bytestreams. BOSH is widely deployed, but I don't think the hashing
> part is.
> 
> I'd suggest leaving vCard based avatars alone. Entity caps is arguably
> supposed to change, due to security issues. I'm not sure about the
> SOCKS5 XEPs. They are quite widely deployed, and if we do change
> things, backwards compatibility will need to be kept.
> 
> That said, changing things in these various protocols would be fairly
> awkward, given the existing use of attributes for hashes. e.g., it
> would be fairly awkward to change the BOSH 'key' and 'newkey'
> attribute to elements in <body/>.
> 
> --
> Waqas Hussain

-- 




More information about the Standards mailing list