Hi all, On Tue Mar 13 2007, Peter Saint-Andre wrote: > We received some initial feedback from an IETF security guru regarding > encrypted sessions (XEP-0116 etc.). He thinks that, based on our > requirements, we could simply re-use TLS semantics in XMPP syntax rather > than define a completely new security protocol (which is considered to > be a bad idea). Essentially this would treat XMPP as the transport > layer, so instead of doing TLS over TCP (as we do for channel > encryption) we would do TLS over XMPP for encrypted sessions between > endpoints, where we communicate TLS primitives in XML syntax.
I thought this was a very interesting idea when I first read this, especially since I had most of the necessary infrastructure already in place in gloox. So I sat down today and wrote a proof-of-concept of "XTLS". Basically, what I do is base64() TLS handshake data and encrypted payload and wrap it into a <xtls/> element inside a <message/> stanza. With some caching it is possible to reduce the TLS anonymous handshake to 4 stanzas in total: 2 client --> server, 2 server --> client. Without caching it would be 4 more. This is with GnuTLS. Unfortunately, I didn't finish my XEP-0155 implementation for this, so this is currently hard-coded in unit tests and a simple ping-pong example. This is in no way meant as a recommendation from a cryptographic point of view, I'll leave that to more knowledgable people. Jakob
pgpxlG8Eh3ySx.pgp
Description: PGP signature
