On 2/10/09 2:55 AM, Peter Saint-Andre wrote: > 2. Consensus that the current secure="true" flag on the BOSH <body/> > element is useless. Jack Moffitt recommended removing this and adding a > security consideration about what the BOSH connection manager should > accept and not accept from the XMPP server. He and I will work on text.
How is this? *** 19.2 Connection Between BOSH Service and Application A BOSH service SHOULD encrypt its connection to the backend application using appropriate tecnologies such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and StartTLS if supported by the backend application. Alternatively, the BOSH service can be considered secure (1) if it is running on the same physical machine as the backend application or (2) if it running on the same private network as the backend application and the administrators are sure that unknown individuals or processes do not have access to that private network. Because there is no way for the client to be sure that the BOSH service encrypts its connection to the application, it is RECOMMENDED for the client encrypt its messages using an application-specific end-to-end encryption technology; methods for doing so are outside the scope of this specification. *** Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
