[Standards] Proposed XMPP Extension: Stanza Content Encryption

Jonas Schäfer jonas at wielicki.name
Mon Jun 24 19:44:36 UTC 2019


> URL: https://xmpp.org/extensions/inbox/xep-sce.html

I think this is an important step in the right direction. Thanks for putting 
the work into it.

I don’t have any blocking issues myself, either, I think, but there are a few 
points I’d like to note.

1. as Dave noted, this document could use a lot of clarification on the 
definition side of things. This seems particularly important for a security 
protocol where lax definitions where people have to guess what’s up can lead 
to security issues. 

2. The document mentions encryption of IQ stanzas. It would be great to have 
an example of that, especially since the existing encryption schemes do not 
take IQs into account at all.

3. The only example in the Use Cases section is a negative example; I’m not 
sure this is great from an overview perspective. I think this is, if at all, 
more suited for the Motivation section, and the Use Cases section should show 
an encrypted message with the corresponding <content/>, similar to what other 
XEPs do, describing the workflow of encrypting and decrypting data.

4. The XEP introduces some concepts to prevent certain types of attacks, but 
does not mention those (attacks) in the Security Considerations.

5. It does not discuss why existing options like xmlsec have not been used.

As mentioned, these aren’t blockers for Experimental for me. I find (1) and 
(5) particularly important before advancement to Draft though.

kind regards,
Jonas

P.S.: My GPG key was recently renewed. If you have problems verifying the 
signature of this message, try to refresh my key from the keyservers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.jabber.org/pipermail/standards/attachments/20190624/afeae632/attachment.sig>


More information about the Standards mailing list