My understanding of the XTLS is that we would take the existing TLS algorithm, and map each step of that algorithm to an XMPP step, and do that on a per-conversation basis. This would end up being similar to the way we implemented SASL on XMPP- we took each step, wrapped some XMPP-ish XML around it, and called it done.
TLS for me is a much more complex beast than SASL, and as a result, I really don't want to implement a custom TLS library. On the server side, we currently are able to take advantage of TLS hooks in the operating system - this means that the O/S itself worries about the actual encryption / decryption. If I drop in a rich network card that has a DSP on it, that network card will actually handle the encryption / decryption and keep my processor(s) happy. There are also many round trips required to necogiate a TLS connection - I don't remember the number, but it's in the 9 or 10 range. I don't know of any existing libraries that would be a "drop in" solution to this problem. Nothing would expose the right hooks at the right levels to make this an easy implementation. Certainly for .Net this is the case (Mentalis doesn't count - it's way to buggy, and no longer supported), and I suspect it is for Java as well. The C/C++ guys might be able to use OpenSSL, but it's certainly not a given. On the other hand, if we go with an XmlEnc approach, the libraries to do it are all done (at least in .Net / Java / C++). This is a huge win for both client & server developers. (As a quick side note) Another use case I would like to see is the MUC use case. There are a few ways to go about this, some of which seem better than others. -- Chris Mullins -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Saint-Andre Sent: Friday, March 16, 2007 3:26 PM To: [email protected] Subject: [Security] XTLS In the XMPP Council meeting held earlier this week, Council member Chris Mullins said: [13:52:55] <Chris Mullins> xTLS scares me to death. [13:53:11] <Chris Mullins> I do NOT want to implement that, nor deal with the implications of implementing it. Chris, do you care to elaborate? It might be helpful to have a stub document that shows what XTLS would look like. I'll try to put something together soon, if only for my own understanding. Peter -- Peter Saint-Andre XMPP Standards Foundation http://www.xmpp.org/xsf/people/stpeter.shtml
