I think the stream restart is necessary for TLS, however, I never understood why we don't formally close the stream. I think that the stream should be ended, and wait for an end-of-stream response from the server rather than a "proceed." Really, with encryption, we're all going to want to start a new "document" anyway. However, with SASL, I could see getting rid of it entirely.
The other "messy" point I see is all of the special cases a server needs to account for in roster and subscribe packets. Subscription requests would be better served as IQ queries, with the server providing a roster entry that can then be edited. I haven't given this a lot of thought, however.
