On 19 Mar 2014, at 17:23, Peter Saint-Andre <[email protected]> wrote:
> XEP-0206 1.4rc2 says: > > Note: Inclusion of TLS negotiation elements is allowed but is NOT > RECOMMENDED. The definition of how TLS might be implemented over BOSH is > currently beyond the scope of this document. Instead, channel encryption > SHOULD be completed at the HTTP (transport) layer, not the XMPP (application) > layer. > > and > > Note: The client SHOULD ignore any Transport Layer Security (TLS) feature > since BOSH channel encryption SHOULD be negotiated at the HTTP layer. > > I think it would be cleaner to say that TLS MUST NOT be negotiated in BOSH, > and that if confidentiality and data integrity are needed then they MUST be > negotiated at the HTTP layer. > > Also it would be good to make sure that BOSH is aligned with the XMPP over > WebSocket spec on this point (but I'll provide feedback about that on the > XMPP WG list). Sorry for repeating myself... But a big problem with this that we need to work together to solve is the ability to validate TLS in javascript environments. THere has been a lot of work to standardise how we set up a TLS connection to a server and validate the cert with the address we want to reach. In the browser environment our application is in the dark. We just have to trust the browser. Will an application using BOSH or Websockets even know if the connection is protected by TLS? /O
