Re: [Stox] SIPS URIs and SIP/XMPP gateways - WAS: review: stox-core-04

Peter Saint-Andre <stpeter@stpeter.im> Mon, 30 September 2013 14:56 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: stox@ietfa.amsl.com
Delivered-To: stox@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AB7F21F9A19 for <stox@ietfa.amsl.com>; Mon, 30 Sep 2013 07:56:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.851
X-Spam-Level:
X-Spam-Status: No, score=-101.851 tagged_above=-999 required=5 tests=[AWL=-0.122, BAYES_00=-2.599, SARE_MLH_Stock1=0.87, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JG6WoCL82XjL for <stox@ietfa.amsl.com>; Mon, 30 Sep 2013 07:56:48 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 1854F21F9A65 for <stox@ietf.org>; Mon, 30 Sep 2013 07:56:48 -0700 (PDT)
Received: from ergon.local (unknown [71.237.13.154]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id D3D9B414CD; Mon, 30 Sep 2013 09:02:16 -0600 (MDT)
Message-ID: <5249912E.6060104@stpeter.im>
Date: Mon, 30 Sep 2013 08:56:46 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "Olle E. Johansson" <oej@edvina.net>
References: <E44893DD4E290745BB608EB23FDDB7620A0CE34A@008-AM1MPN1-042.mgdnok.nokia.com> <52458C47.1010702@nostrum.com> <5245AEE7.4010000@stpeter.im> <5248DA2D.7080809@stpeter.im> <52497E86.5020302@nostrum.com> <77B75929-D2A5-4B75-821B-E637C55B0C95@edvina.net>
In-Reply-To: <77B75929-D2A5-4B75-821B-E637C55B0C95@edvina.net>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: fluffy@cisco.com, Jon Peterson <jon.peterson@neustar.biz>, stox@ietf.org, Markus.Isomaki@nokia.com, salvatore.loreto@ericsson.com, Robert Sparks <rjsparks@nostrum.com>
Subject: Re: [Stox] SIPS URIs and SIP/XMPP gateways - WAS: review: stox-core-04
X-BeenThere: stox@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP-TO-XMPP Working Group discussion list <stox.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stox>, <mailto:stox-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stox>
List-Post: <mailto:stox@ietf.org>
List-Help: <mailto:stox-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stox>, <mailto:stox-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2013 14:56:53 -0000

On 9/30/13 7:43 AM, Olle E. Johansson wrote:
> 
> 30 sep 2013 kl. 15:37 skrev Robert Sparks <rjsparks@nostrum.com>om>:
> 
>> On 9/29/13 8:55 PM, Peter Saint-Andre wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 9/27/13 10:14 AM, Peter Saint-Andre wrote:
>>>> On 9/27/13 7:46 AM, Robert Sparks wrote:
>>>>> (Adding Jon)
>>>>> Peter - is there nothing in XMPP that lets a client say "I want
>>>>> this to use secure transports only - have it fail rather than
>>>>> use an insecure transport anywhere along its delivery path?"
>>>> No. That doesn't mean we don't need it (although in general people
>>>> have thought we *wouldn't* need it if we could just define an
>>>> end-to-end encryption method that solve all the relevant use
>>>> cases).
>>>>
>>>>> That's the primary property you should discuss. Without putting
>>>>> a lot of thinking into it, I suspect that if you _don't_ have a
>>>>> way to express that available (which is what I'm taking away from
>>>>> your last sentence), the right guidance in the document is to
>>>>> refuse to gateway a SIP request that expresses that requirement.
>>>> Indeed, that seems correct.
>>>>
>>>> Thanks for the guidance.
>>> Here is proposed text:
>>>
>>>    As specified in Section 26.4.4 of [RFC3261], a To header or a
>>>    Request-URI containing a SIPS URI is used to indicate that all hops
>>>    in a communication path need to be protected using Transport Layer
>>>    Security [RFC5246].  Because XMPP lacks a way to signal that all hops
>>>    need to be encrypted, if the To header or Request-URI of a SIP
>>>    message is a SIPS URI then the SIP-to-XMPP gateway MUST NOT translate
>>>    the SIP message into an XMPP stanza and MUST NOT route it to the
>>>    destination XMPP server.
>> wfm. You might also talk about not using sips when going XMPP->SIP.
>> If you haven't found it already, see also RFC5630.
> 
> Agree. It will help a lot of developers to explain that even if you find NAPTR
> records indicating that a destination ONLY supports TLS connections,
> you will look up _sips._tcp in SRV but this does NOT mean that you are going
> to use a SIPS: uri. The _sips SRV tag and the SIPS: uri are unfortunately
> very similar but not directly related in a confusing way :-)

Thanks for the notes. I'll review those today.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/