[Standards] LAST CALL: XEP-0368 (SRV records for XMPP over TLS)

Sam Whited sam at samwhited.com
Wed Feb 15 16:06:38 UTC 2017


On Wed, Feb 15, 2017 at 8:32 AM, Travis Burtrum <travis at burtrum.org> wrote:
> "All security setup and certificate validation code SHOULD be shared
> between the STARTTLS and direct TLS logic as well."

These aren't the issues you're likely to hit though; I can't imagine
anyone actually using different TLS code for STARTTLS vs. doing it
direct. The issues you're likely to hit are logic bugs when trying to
decide between direct/start-TLS that cause you to have a path that
lets you fall back to plain without actually negotiating TLS at all.

That beings aid, I am all for this spec, I just think some of its
security claims need to be rewritten before it is accepted.

—Sam


More information about the Standards mailing list