[Standards] TLS in XEP-0206

Peter Saint-Andre stpeter at stpeter.im
Wed Mar 19 16:23:13 UTC 2014

XEP-0206 1.4rc2 says:

Note: Inclusion of TLS negotiation elements is allowed but is NOT 
RECOMMENDED. The definition of how TLS might be implemented over BOSH is 
currently beyond the scope of this document. Instead, channel encryption 
SHOULD be completed at the HTTP (transport) layer, not the XMPP 
(application) layer.


Note: The client SHOULD ignore any Transport Layer Security (TLS) 
feature since BOSH channel encryption SHOULD be negotiated at the HTTP 

I think it would be cleaner to say that TLS MUST NOT be negotiated in 
BOSH, and that if confidentiality and data integrity are needed then 
they MUST be negotiated at the HTTP layer.

Also it would be good to make sure that BOSH is aligned with the XMPP 
over WebSocket spec on this point (but I'll provide feedback about that 
on the XMPP WG list).


Peter Saint-Andre

More information about the Standards mailing list