[Standards] Proposed XMPP Extension: Internet of Things - Discovery

Dave Cridland dave at cridland.net
Mon Apr 7 07:40:55 UTC 2014


On 7 April 2014 08:27, Steffen Larsen <zooldk at gmail.com> wrote:

> I completely agree about making XEP-0114 (external components) more
> suitable and secure like any other S2S scenario. Lifting it to a XMPP
> version 1.0 stage would be great, but would also break a lot of
> implementations.
>

I'm not entirely sure. I've seen *some* implementations break when they
receive stream features they weren't expecting, but most existing
implementations don't send the version attribute, so won't get them.

So it'll break *some* implementations, and an implementation *might* want
to offer component support on ports that suppress all features as a result.
How widespread the problem would be is, I think, an unknown at this point.

The alternative is we just say "Components are privately-authenticated S2S
connections", and invoke BiDi and SASL auth and make it happen. This is
functionally equivalent, but differs in that components are no longer
special in any way (aside from near-mandatory support for XEP-0288), aren't
backwards compatible with the older protocol, which becomes obsolete. That
appeals to my sense of purity, and is likely significantly more secure in a
number of ways. (At the very least, the security profile would be better
understood).

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20140407/2a75fa1f/attachment.html>


More information about the Standards mailing list