Hi!
We received some initial feedback from an IETF security guru regarding encrypted sessions (XEP-0116 etc.). He thinks that, based on our requirements, we could simply re-use TLS semantics in XMPP syntax rather than define a completely new security protocol (which is considered to be a bad idea). Essentially this would treat XMPP as the transport layer, so instead of doing TLS over TCP (as we do for channel encryption) we would do TLS over XMPP for encrypted sessions between endpoints, where we communicate TLS primitives in XML syntax.
I had this concern about defining a new cryptographic protocol as well some time ago, when I asked Ian, why at all he is designing a completely new protocol. I think it is a very good thing, that we got input from the outside as well, that we should not do this. While on the other hand I am not sure if mapping TLS on XMPP solves all our problems. - At least for now. It may change when draft-hajjeh-tls-sign-02.txt gets finished. But still I keep saying that the protocol we are looking for is XML Signature and XML Encryption, that have been defined by the W3C. http://www.w3.org/Signature/ http://www.w3.org/Encryption/2001/ This are standards specially made to sign and encrypt XML data, so it is exactly what we need. And even while I asked on the standards JID, nobody could yet tell me, what would be a problem with this standards. (Maybe beside, that some people just seem to want to create their own cryptographic standard. But this is nothing that can be done by anyone, but just by a group of people with review of even more people.) So mapping TLS on top of XMPP might be one option for me, while I think we should also very heavily consider the w3c standards for this. But with XEP-0116 I am still very very sceptic. Matthias
