Re: [secdir] Secdir last call review of draft-kille-ldap-xmpp-schema-02

"Steve Kille" <> Mon, 11 September 2017 07:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 34B2813300C; Mon, 11 Sep 2017 00:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bric15w7xrvg; Mon, 11 Sep 2017 00:33:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id EA3AD132D4A; Mon, 11 Sep 2017 00:33:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1505115208;; s=june2016;; bh=V/kTMfdAURvuUAO3rlxmfn8KTb1ULkhWWCAp9/+GDHI=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=aaWvnGqA+LhyxbmOJP8HjO+q6U5qC/QWO6IdljcHVmpt3yeP7TxBVjrNWcaoly1OHA1I9z W7dqTo5k+6DbpT6tOfAoB4gBnZoztSgaKWS7Xtk8QK+GvXriLWYgwBBcfBO7yMa0ApiBqM EEE+tNsW45QB1Y9L+E4WLw8bHYNWHoQ=;
Received: from MonteRosa ( []) by (submission channel) via TCP with ESMTPSA id <>; Mon, 11 Sep 2017 08:33:27 +0100
From: "Steve Kille" <>
To: "'Yoav Nir'" <>, <>
Cc: <>, <>
References: <>
In-Reply-To: <>
Date: Mon, 11 Sep 2017 08:33:20 +0100
Message-ID: <003701d32ad0$42239a30$c66ace90$>
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQInXiG8xxTW5aRQsWv7bEQ9jDmZcaIG4VIw
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-gb
Archived-At: <>
Subject: Re: [secdir] Secdir last call review of draft-kille-ldap-xmpp-schema-02
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Sep 2017 07:33:33 -0000


Thanks for this review.   I think that you are right in your comment and your suggestion is a good one.

I will update the text and submit version -03

It has been suggested to add a reference to the LDAP security considerations, which I think is sensible and I will also make this change.



> -----Original Message-----
> From: Yoav Nir []
> Sent: 08 September 2017 22:25
> To:
> Cc:;
> Subject: Secdir last call review of draft-kille-ldap-xmpp-schema-02
> Reviewer: Yoav Nir
> Review result: Has Nits
> The document defines a couple of OIDs for associating a Jabber ID with an
> LDAP object.  As such, it is very short and straightforward. I'm not too happy
> with the Security Considerations section, which I'll quote here in its entirety:
> "This schema enables publishing for XMPP JIDs, and care should be taken to
> ensure that this information is not accessed inappropriately."
> This is rather generic, and it's true for any piece of information stored
> anywhere.  If that is all there is to say, the section might as well read "This
> document only registers OIDs and has no special security considerations."
> However, I think there is a point that may need to be mentioned. Using this
> extension links a JID, which is a personal identifier that often appears on the
> public Internet (much like an email address), to an LDAP object, which is
> usually limited to an organization, usually the employer of that person. This
> linkability only exists for people who have access to the LDAP server, so it's
> just that users have to take the same care with JIDs that they do with email
> addresses - if you don't want your XMPP messages linked to your employer,
> or linked to you by your employer, it is better to use a private JID that is not
> linked to your employer's LDAP.
> This advice to users may be out of scope, but I would like to see a mention
> that JIDs are generally public and pseudonymous, and this links them to a real
> person within an LDAP domain.