... While digging deeper into BEEP and it's implementation, I see a security issue with its deployment. BEEP is a multiplexing protocol, thus multiple profiles can run concurrently on a given BEEP connection at a given time. From the firewall point of view, we can simply enable or disable BEEP. When a crypting tuning profile is used, the firewall can not even look at the application layer into the exchange of BEEP packages. So effectively BEEP will open up a hole in the firewall (as does SOAP for HTTP).
How is this WG thinking about this? I fear that this fact can reduce the acceptance for protocols based on BEEP (at the end-user level, not the implementors). At least I think it would be a good idea to mention this issue in the security considerations issue. Rainer
