[Standards] TLS in XEP-0206

Peter Saint-Andre stpeter at stpeter.im
Wed Mar 19 16:23:13 UTC 2014


XEP-0206 1.4rc2 says:

Note: Inclusion of TLS negotiation elements is allowed but is NOT 
RECOMMENDED. The definition of how TLS might be implemented over BOSH is 
currently beyond the scope of this document. Instead, channel encryption 
SHOULD be completed at the HTTP (transport) layer, not the XMPP 
(application) layer.

and

Note: The client SHOULD ignore any Transport Layer Security (TLS) 
feature since BOSH channel encryption SHOULD be negotiated at the HTTP 
layer.

I think it would be cleaner to say that TLS MUST NOT be negotiated in 
BOSH, and that if confidentiality and data integrity are needed then 
they MUST be negotiated at the HTTP layer.

Also it would be good to make sure that BOSH is aligned with the XMPP 
over WebSocket spec on this point (but I'll provide feedback about that 
on the XMPP WG list).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/



More information about the Standards mailing list