[Standards] LAST CALL: XEP-0368 (SRV records for XMPP over TLS)

Sam Whited sam at samwhited.com
Sun Feb 12 16:03:57 UTC 2017


On Sat, Jan 28, 2017 at 11:26 AM, XMPP Extensions Editor
<editor at xmpp.org> wrote:
> 1. Is this specification needed to fill gaps in the XMPP protocol stack or to clarify an existing protocol?

Yes

> 2. Does the specification solve the problem stated in the introduction and requirements?

Partially.

A minor nitpick: The requirements section isn't really requirements,
it's the actual main content of the spec.

In the introduction and security concerns there are claims that this
spec provides "perhaps increased security and privacy over using
STARTTLS". These claims use both passive language ("perhaps"), and I
don't think are actually true (it's only slightly less trivial to
detect that not-HTTPS is most likely being transmitted, and lots of
corporate firewalls do this). Since these are weak statements to begin
with, I'd like to see them taken out in case they mislead users. I
don't think it provides any value to the specification to include
claims like this anyways, true or false.

It would be nice if these statements could be removed before the
council votes; apologies for being late to the party in bringing this
up again.

> 3. Do you plan to implement this specification in your code? If not, why not?

Yes.

> 4. Do you have any security concerns related to this specification?

Only that the claims of greater privacy over STARTTLS might be misleading.

> 5. Is the specification accurate and clearly written?

Yes.

—Sam


More information about the Standards mailing list