[Standards] Proposed XMPP Extension: HTTP File Upload

Rick van Rein rick at openfortress.nl
Mon Jul 27 15:03:25 UTC 2015


Hello,

The HTTP upload mechanism hinges on the secrecy of the upload URL.  Any
client who receives it and accidentally publishes it can convey the
document.

I would like to point you to an alternative, namely MSRP.  It is a
straightforward protocol, similar in nature to HTTP but with a few
desirable facilities extra:
 - mention both source and destination address, which may be of
user at domain.tld form
 - block-by-block uploads enable multiplexing streams
 - checksums on each block
 - the protocol is symmetric; either side can initiate a transfer
 - TLS may be used for encryption and server authentication and,
possibly, client authentication

Although I agree that HTTP is useful for resource sharing, it lacks the
security facilities to separate independent downloaders which weakens
the security model of this proposal in ways that MSRP does not.  MSRP,
as you may know, is the SIP answer to file sharing.

I am willing to look for the time to write this up in a new XEP-xxxx --
but only if this is considered sufficiently interesting as an
alternative to this list.

-Rick



More information about the Standards mailing list