Jakob Schroeter wrote:
Hi all,On Tue Mar 13 2007, Peter Saint-Andre wrote:We received some initial feedback from an IETF security guru regarding encrypted sessions (XEP-0116 etc.). He thinks that, based on our requirements, we could simply re-use TLS semantics in XMPP syntax rather than define a completely new security protocol (which is considered to be a bad idea). Essentially this would treat XMPP as the transport layer, so instead of doing TLS over TCP (as we do for channel encryption) we would do TLS over XMPP for encrypted sessions between endpoints, where we communicate TLS primitives in XML syntax.I thought this was a very interesting idea when I first read this, especially since I had most of the necessary infrastructure already in place in gloox. So I sat down today and wrote a proof-of-concept of "XTLS".Basically, what I do is base64() TLS handshake data and encrypted payload and wrap it into a <xtls/> element inside a <message/> stanza.
I'm not sure if IQ or message is right. But we can discuss that a bit.
With some caching it is possible to reduce the TLS anonymous handshake to 4 stanzas in total: 2 client --> server, 2 server --> client. Without caching it would be 4 more.This is with GnuTLS.Unfortunately, I didn't finish my XEP-0155 implementation for this, so this is currently hard-coded in unit tests and a simple ping-pong example.
Yes, we'd need to see how XTLS works with XEP-0155. But that part should be fairly straightforward.
This is in no way meant as a recommendation from a cryptographic point of view, I'll leave that to more knowledgable people.
Thanks, that is helpful. Peter -- Peter Saint-Andre XMPP Standards Foundation http://www.xmpp.org/xsf/people/stpeter.shtml
smime.p7s
Description: S/MIME Cryptographic Signature
