Re: [xmpp] New(ish) draft: Secure Messaging in XMPP
Philipp Hancke <fippo@goodadvice.pages.de> Mon, 26 October 2015 03:57 UTC
Return-Path: <fippo@goodadvice.pages.de>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7781E1B3625 for <xmpp@ietfa.amsl.com>; Sun, 25 Oct 2015 20:57:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Level:
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_50=0.8, GB_I_INVITATION=-2, J_CHICKENPOX_34=0.6, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y3OWZ_Ee2gXa for <xmpp@ietfa.amsl.com>; Sun, 25 Oct 2015 20:57:31 -0700 (PDT)
Received: from lo.psyced.org (lost.in.psyced.org [188.40.42.221]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62EC21B3624 for <xmpp@ietf.org>; Sun, 25 Oct 2015 20:57:31 -0700 (PDT)
Received: from [192.168.20.105] (97-90-49-254.static.yakm.wa.charter.com [97.90.49.254]) (authenticated bits=0) by lo.psyced.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id t9Q3xItJ025678 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for <xmpp@ietf.org>; Mon, 26 Oct 2015 04:59:22 +0100
To: xmpp@ietf.org
References: <562AA40E.40407@nostrum.com>
From: Philipp Hancke <fippo@goodadvice.pages.de>
Message-ID: <562DA49E.8020108@goodadvice.pages.de>
Date: Sun, 25 Oct 2015 20:57:18 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <562AA40E.40407@nostrum.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/xmpp/68Niouf_44mZuHoZk8Puis2prKY>
Subject: Re: [xmpp] New(ish) draft: Secure Messaging in XMPP
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2015 03:57:34 -0000
Am 23.10.2015 um 14:18 schrieb Adam Roach: > XMPP folks: > > Martin and I put together a proposal for an approach that allows for > end-to-end encrypted XMPP conversations, including in the presence of > MUC. Although not a completely implementable spec, this should give a > good idea about the direction we have in mind: > > https://tools.ietf.org/html/draft-thomson-xmpp-secure-00 > > Anyone interested in this work should give it a read and provide > feedback. quite a number of comments and questions... https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-3.2.1 Clients that wish to participate in encrypted messaging publish keying material to their presence we've stopped putting stuff into presence quite a while ago... See PEP question below. (I assume you don't require compat with ancient services like google talk that could never be bothered to implement post-2004 features like PEP) Each client generates new keying material that is bound to the full JID that they use (that is, each client has its own keying material; there is no key associated with a user's bare JID). This is problematic with server-chosen resource parts which change with each login. 'static' resources like 'desktop', 'work' or 'iphone' are a thing of the past. PEP is likely the answer here. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-3.2.2 Prior to sending a message, a client first retrieves and validates the presence of the intended recipient. Can you explain what you mean with 'first retrieves and validates the presence of the intended recipient'? I suspect the presence model you have in mind is not what XMPP commonly does... which is 'broadcast' so no retrieval. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-3.3 A user founds a MUC in the usual fashion (see [XEP-0045], section 10.1). Two changes are made: broken link. I would also suggest replacing 'founds' with 'creates' for consistency of terminology. But that's just me. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-3.3.1 The inviting client generates a signed invitation and sends this to the bare JID of the offline user using what key? The bare JID has no key. If not using MAM this message might be delivered to the next client that signs on which might not be a client that can decrypt the message. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-4 <x xmlns="...identity#assertion"> Can you please use other element names? <x/> is very non-descriptive which is the reason that new xmpp extensions don't use this style anymore. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-4.1 The server uses the client's authentication credentials, which are usually bound to a connection, to determine if the client owns the identifier. the identifier being user@example.com/resource? https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-4.2 generates an error, or a message containing the identity. s/message/result (this refers to an iq-result) https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-5 The routing and message handling information from the cleartext (element basename plus to, from, and type attributes) For <iq/> this should include the id attribute? That is, <iq> stanzas produce encrypted <iq> stanzas; <message> we usually write this as <iq/> and <message/> (also elsewhere) https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-5.1 This removes the language indicator from the unencrypted stanza. Note that the server might re-add the stream's xml:lang when forwarding. Not a problem I think, I would just omit the xml:lang in the example. It's rarely used anyway. To do: check with someone who might know. should be ignored. Note that the lack of <body/> might affect storage, see http://xmpp.org/extensions/xep-0313.html section 5. Also resource locking, carbons etc. Multi-client is a hard problem. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-5.2.3 Since there is an expectation of reliability and in-order message delivery, clients should highlight where message are missing. This reliability is only partially achieved when crossing s2s. I need to ponder more on this. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-5.3 A signature on messages is necessary to prevent impersonation of other MUC participants. wait, why is this now talking about MUC again? https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-5.5 Encrypting status is highly desirable. You'll end up encrypting 'user has been unavailable for 15 minutes' -- in languages some of the users friends don't even understand. In practice few people use the status. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-5.6 Thus, clients are required to suppress chat state notifications when a peer is offline. I think that's already in XEP-0085. Since you don't have presence for the peer you don't know their chat state support and should not send chat states. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-6.1 Please, don't put stuff into <presence/>. Use PEP. You also want to use XEP-0335. https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-7 I think using 'roster' here is confusing since that is used in 6121 and XEP-0045 for slightly different purposes (neither of which makes any assertions about validity). https://tools.ietf.org/html/draft-thomson-xmpp-secure-00#section-8 I like the idea. It is better than 'just use sasl anonymous' since the server can provide this service only to authenticated clients. In terms of implementation, I think this better described as an xmpp-to-xmpp transport. There is something here which puzzles me: Clients are able to include the new pseudonym in any interaction that they initiate Are you assuming that client that requested this would send stanzas with from='7ee6df7a831198624131@example.com/someresource'? Servers will typically override any client-set 'from' which seems to have impact on the crypto scheme you're proposing.
- [xmpp] New(ish) draft: Secure Messaging in XMPP Adam Roach
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Thijs Alkemade
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Philipp Hancke
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Florian Schmaus
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Florian Schmaus
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Andreas Straub
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Simon Josefsson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Bartosz Małkowski
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Dave Cridland
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Bartosz Małkowski
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Martin Thomson
- Re: [xmpp] New(ish) draft: Secure Messaging in XM… Dave Cridland