[Stox] Stephen Farrell's IESG feedback on draft-ietf-stox-core

Peter Saint-Andre <stpeter@stpeter.im> Mon, 10 February 2014 18:24 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: stox@ietfa.amsl.com
Delivered-To: stox@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 593A71A031B; Mon, 10 Feb 2014 10:24:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GtQUG9d1weZX; Mon, 10 Feb 2014 10:24:20 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im []) by ietfa.amsl.com (Postfix) with ESMTP id A97EE1A01F1; Mon, 10 Feb 2014 10:24:20 -0800 (PST)
Received: from aither.local (unknown []) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 3F668403BB; Mon, 10 Feb 2014 11:24:20 -0700 (MST)
Message-ID: <52F91953.8010604@stpeter.im>
Date: Mon, 10 Feb 2014 11:24:19 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: The IESG <iesg@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: stox@ietf.org
Subject: [Stox] Stephen Farrell's IESG feedback on draft-ietf-stox-core
X-BeenThere: stox@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SIP-TO-XMPP Working Group discussion list <stox.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stox>, <mailto:stox-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stox/>
List-Post: <mailto:stox@ietf.org>
List-Help: <mailto:stox-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stox>, <mailto:stox-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 18:24:22 -0000

( + STOX WG since one of the issues might deserve broader discussion )

Hi Stephen, thanks for your review:


You wrote in part:

    - I wondered why you didn't just say that (D)TLS SHOULD
    be used/supported between gateways. Given that all the
    relevant bits of code are likely to support that, wouldn't
    it be a good thing?

Yes, that seems eminently reasonable.

    - Has anyone thought about confusability in the name
    mappings? I expected to see a bit of text in the
    security considerations but didn't see it.

Confusion is always possible. :-) Were you thinking about confusable 
characters from Unicode, or something else?

    - It seems a shame to not be able to gateway when the To is
    a sips URI at all but I understand that some loss of
    security is inevitable for cases like this. Is there any
    work planned for an update that would allow gatewaying for
    such cases, e.g. if the 1st XMPP server is the one to which
    the user is connected and the user is connected using

Hmm. I cannot say that I am aware of planning for updates to provide 
more secure gatewaying, although folks active in the STOX WG might be 
thinking along those lines.

Depending on the deployment architecture, I think there are cases where 
it is *possible* to TLS-protect all the hops. For instance, if 
sip.example.org has a direct server-to-server connection to 
xmpp.example.com (no intermediate hops) and both organizations agree to 
force the use of TLS for client connections (e.g., via SLA), then I 
suppose that sip.example.com could honor 'sips' URIs when sending 
traffic to xmpp.example.com. However, such an arrangement is rare enough 
right now that I don't know if it is worth mentioning.


Peter Saint-Andre