[Standards] Re: Feedback requested: SVCB for XMPP

Tue, 13 Feb 2024 22:18:22 -0800 

Hi Dave!
I've only briefly reviewed this so far, so please forgive if I've missed things, but I have some early comments: 

Major blocker I'm not sure can be addressed:

1.

This essentially re-introduces the major security flaw that was 
addressed in XEP-0156 by removing the TXT record, just with a warning.

Context:

* 
https://web.archive.org/web/20220828222121/https://mail.jabber.org/pipermail/standards/2022-February/038759.html

* https://github.com/xsf/xeps/pull/1158

* 
https://www.moparisthebest.com/slides/xmpp-connectivity-security-13JUL2023.html#(17)


But all those points still remain, most importantly:

* nearly no HTTPS clients/libraries/browsers actually support "connect 
me to domain X but send SNI Y and validate the cert against domain Y", I 
would argue it's too dangerous to even allow trying this


Things easily addressed:

1.

> "xmpps-server" and "xmpps-client" have a default port registered in 
this document.
I don't actually see these registered.  Also I'm generally opposed to 
this, because, whether we like it or not (and I know most of us do not, 
including me) it's 2024 and protocols are no longer multiplexed via 
port, but instead all go over 443 (TLS or QUIC) and are multiplexed via 
ALPN.  Soothe yourself to sleep at night with the fact that this, 
combined with ECH, is actually a huge win for both connectivity and 
privacy, as intermediaries can no longer guess or police which 
protocol(s) you can use.


2.

It mentions QUIC, and links to the XEP, but I don't see a way to 
indicate a QUIC connection?


3.

Needs ECH, with HTTPS this is on the HTTPS record, where can it go here? 
I consider this absolutely required.


4.

Semi-minor nit: StartTLS certainly doesn't preclude ALPN being sent, but 
I actually wouldn't define it at all here.  legacy clients that don't 
support DirectTLS won't support this spec, and will look up StartTLS the 
old way, and 0 servers have support for StartTLS but not DirectTLS. 
Unless I'm missing some reason to keep support?


5.

Ultra-minor nit: is BOSH needed or useful with websockets and upcoming 
webtransport? legacy clients that don't support either of those won't 
support this either, and will look up bosh the old way.


Thanks,
Travis
_______________________________________________
Standards mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to