[Standards] Proposed XMPP Extension: Stanza Content Encryption
jonas at wielicki.name
Mon Jun 24 19:44:36 UTC 2019
> URL: https://xmpp.org/extensions/inbox/xep-sce.html
I think this is an important step in the right direction. Thanks for putting
the work into it.
I don’t have any blocking issues myself, either, I think, but there are a few
points I’d like to note.
1. as Dave noted, this document could use a lot of clarification on the
definition side of things. This seems particularly important for a security
protocol where lax definitions where people have to guess what’s up can lead
to security issues.
2. The document mentions encryption of IQ stanzas. It would be great to have
an example of that, especially since the existing encryption schemes do not
take IQs into account at all.
3. The only example in the Use Cases section is a negative example; I’m not
sure this is great from an overview perspective. I think this is, if at all,
more suited for the Motivation section, and the Use Cases section should show
an encrypted message with the corresponding <content/>, similar to what other
XEPs do, describing the workflow of encrypting and decrypting data.
4. The XEP introduces some concepts to prevent certain types of attacks, but
does not mention those (attacks) in the Security Considerations.
5. It does not discuss why existing options like xmlsec have not been used.
As mentioned, these aren’t blockers for Experimental for me. I find (1) and
(5) particularly important before advancement to Draft though.
P.S.: My GPG key was recently renewed. If you have problems verifying the
signature of this message, try to refresh my key from the keyservers.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the Standards