[Standards] Proposed XMPP Extension: Internet of Things - Discovery

Peter Waher Peter.Waher at clayster.com
Thu Apr 3 12:03:46 UTC 2014


Hello Edwin & Co.

>You seem to confuse Historical with Deprecated.  Although the XEP is historical, the status is active.  Furthermore, all servers I have used so far support XEP-0114: this is a core feature of most implementations.

Actually, I do not. I am aware of the difference. What historical tells me, apart from it being historical, i.e. part of the Jabber project before being formalized, is that it:

* Is not sufficiently important to have been lifted and issues discussed and fixed, to become draft or final (or RFC).
* Any changes to it are not guaranteed to be backwards compatible.
* It's future is unclear, which is also stated in the XEP.
* It's use and implementation variants are unclear.
* Security aspects are unclear.
* It is not recommended by XSF or xmpp.org anywhere.

After having investigated XEP-0114 now in some more detail, there are various aspects which concerns me. Since Jabber components seems to be a third way to connect to an XMPP server (the other two being c2s and s2s), and a very useful one at that I must agree, I think the XSF should take some time and effort in formalizing this XEP a bit, and fixing some of its flaws. I'm told that it uses an old version of XMPP (0.9), and I wonder if it is not in everybody's interest to lift it to v1.0, and allow things such as starttls, etc. to make it more secure. Today, there is no way for the client (component) to validate that the server is who it pretends to be, which makes MITM attacks quite easy. And since you get such a direct access to the server, it looks very much like a backdoor to me.

Best regards,
Peter Waher



More information about the Standards mailing list