[Standards] TLS in XEP-0206
Olle E. Johansson
oej at edvina.net
Wed Mar 19 16:27:56 UTC 2014
On 19 Mar 2014, at 17:23, Peter Saint-Andre <stpeter at stpeter.im> wrote:
> XEP-0206 1.4rc2 says:
> Note: Inclusion of TLS negotiation elements is allowed but is NOT RECOMMENDED. The definition of how TLS might be implemented over BOSH is currently beyond the scope of this document. Instead, channel encryption SHOULD be completed at the HTTP (transport) layer, not the XMPP (application) layer.
> Note: The client SHOULD ignore any Transport Layer Security (TLS) feature since BOSH channel encryption SHOULD be negotiated at the HTTP layer.
> I think it would be cleaner to say that TLS MUST NOT be negotiated in BOSH, and that if confidentiality and data integrity are needed then they MUST be negotiated at the HTTP layer.
> Also it would be good to make sure that BOSH is aligned with the XMPP over WebSocket spec on this point (but I'll provide feedback about that on the XMPP WG list).
In the browser environment our application is in the dark. We just have to trust the browser. Will an application using BOSH or Websockets even know if the connection is protected by TLS?
More information about the Standards