Peter Saint-Andre wrote: > Well XTLS is not well-defined yet, but I will turn my attention to it > soon. The approach of starttls and then IBB was mentioned by Justin > Karneges here: > > http://mail.jabber.org/pipermail/security/2007-March/000018.html > > And that seems reasonable to me.
My fault. I only took a quick look at xtls and assumed it uses DTLS (which is scary like Justin wrote). Now that I see that xtls always uses <iq> and is in fact "normal" tls wrapped in XML it looks good to me. If you turn your attention to it, I would like to help both writing and implementing it. I have a small python XMPP implementation here where I can add stuff like this very easy. The IBB + new stream stuff is already implemented and works well. When thinking about IBB + new stream + starttls vs. xtls I see the following arguments: xtls advantages: 1. xtls is faster to set up. It does not require to open an IBB, SOCKS5 or maybe even Jingle to figure out what to use. extra stream advantages: 1. Bypass the server by using SOCKS5 2. Reuse code used for link-local messaging 3. By using stream compression in the stream inside the IBB you can save bandwidth xtls has only one advantage but it is a huge one. One question remains for both ways: how do I verify a certificate? And does every entity has a certificate or only every user? Maybe the user signs all its entities? Using an existing CA you have to pay a lot of money; users don't like that :) And setting up your own CA is not that simple, creating self-signed certificates on the other hand is an openssl one-liner. Dirk -- When someone says, 'do you want my opinion?' - have you noticed that it's always a negative one.
