[Standards] Proposed XMPP Extension: Internet of Things - Discovery

Steffen Larsen zooldk at gmail.com
Mon Apr 7 07:27:33 UTC 2014

Hi Peter,

On 03 Apr 2014, at 14:03, Peter Waher <Peter.Waher at clayster.com> wrote:

> Hello Edwin & Co.
>> You seem to confuse Historical with Deprecated.  Although the XEP is historical, the status is active.  Furthermore, all servers I have used so far support XEP-0114: this is a core feature of most implementations.
> Actually, I do not. I am aware of the difference. What historical tells me, apart from it being historical, i.e. part of the Jabber project before being formalized, is that it:
> * Is not sufficiently important to have been lifted and issues discussed and fixed, to become draft or final (or RFC).
> * Any changes to it are not guaranteed to be backwards compatible.
> * It's future is unclear, which is also stated in the XEP.
> * It's use and implementation variants are unclear.
> * Security aspects are unclear.
> * It is not recommended by XSF or xmpp.org anywhere.
> After having investigated XEP-0114 now in some more detail, there are various aspects which concerns me. Since Jabber components seems to be a third way to connect to an XMPP server (the other two being c2s and s2s), and a very useful one at that I must agree, I think the XSF should take some time and effort in formalizing this XEP a bit, and fixing some of its flaws. I'm told that it uses an old version of XMPP (0.9), and I wonder if it is not in everybody's interest to lift it to v1.0, and allow things such as starttls, etc. to make it more secure. Today, there is no way for the client (component) to validate that the server is who it pretends to be, which makes MITM attacks quite easy. And since you get such a direct access to the server, it looks very much like a backdoor to me.

I completely agree about making XEP-0114 (external components) more suitable and secure like any other S2S scenario. Lifting it to a XMPP version 1.0 stage would be great, but would also break a lot of implementations. 
> Best regards,
> Peter Waher



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4130 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20140407/f9ab5835/attachment.bin>

More information about the Standards mailing list