On 06/09/2008 9:50 AM, Dave Cridland wrote: > On Sat Jun 7 00:07:36 2008, XMPP Extensions Editor wrote: >> The XMPP Extensions Editor has received a proposal for a new XEP. >> >> Title: XMPP Transport Layer Security > > Some comments: > > 1) I like using streams, too, that seems to make perfect sense, > especially given XEP-0174. > > 2) The TLS handshake section may as well be removed - whether to request > a certificate or not is up to the parties involved - both parties might > want mere confidentiality, and not want certificates involved at all. > > 3) It might be reasonable to describe a mechanism for out-of-band (or > in-band informal) channel binding. Something like taking the result of > an HMAC over the TLS hello messages, with "yours" first and "theirs" > after, keyed with a key sent out of band, would do to verify endpoints > (if, of course, the key were sent in such a way that it were not > inetrcepted.)
I've been thinking about something like that for regular old TLS over direct XML streams (RFC 3920) because presumably that would give you a shared secret that you could use for certain interesting use cases (e.g., hop check), but I have not given much thought to that yet. And consider it off-topic for this thread. :) > However, I got talking to Rob McQueen - there's a certain amount of > sense in, instead of describing this in terms of IBB, describing it in > terms of Jingle. > > It's possible - and reasonable - to consider an XMPP stream as content, > in which case the TLS becomes a transport (or possibly attribute of the > transport). Part of the idea behind XTLS is that you might want to use the XTLS "tunnel" for all e2e communications with another party. In particular, you might want to use that tunnel so that you don't expose your IP addresses during a Jingle negotiation (e.g., if you did XTLS over ICE-TCP or SOCKS5). So forcing XTLS to depend on Jingle might defeat the purpose. What transport would be used if we described XTLS in terms of Jingle, and might you expose personally identifying information in that way? Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
