Re: [xmpp] Comments/Questions on draft-ietf-xmpp-websocket
Lance Stout <lancestout@gmail.com> Tue, 05 November 2013 23:41 UTC
Return-Path: <lancestout@gmail.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C61F921E80AF for <xmpp@ietfa.amsl.com>; Tue, 5 Nov 2013 15:41:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmfTuw8L7pKR for <xmpp@ietfa.amsl.com>; Tue, 5 Nov 2013 15:41:16 -0800 (PST)
Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id B9E0721E80D1 for <xmpp@ietf.org>; Tue, 5 Nov 2013 15:41:16 -0800 (PST)
Received: by mail-pa0-f51.google.com with SMTP id ld10so9577563pab.24 for <xmpp@ietf.org>; Tue, 05 Nov 2013 15:41:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=Wsyenrgf56gVme3UGrL2Eb10qQBMlv/uJGEKNglfA9s=; b=upmNndqa/oK/RhdZpEcYj7Lwn1cNkp4mt1+nRWsJTRNCtnbJjXB5hpi41qdUabqB/D 342RQiEOu3A6vRfvS568dDu/d/+EjQ/8nOkn0+KydR07GHqYgA1qDwSiiu5OP3T0Mrts OAlmQHWcXPICat9aiwtLZnxrVIcSfhUNbfqM//Lgebylx4vudr3L0WZE3SoBGne5ZZtY 14HSbxU8W17bfgNjS0L/EPY1z+4XIKEvxJDPTWufQOTG3W7+EocJQ9ZpMMow+MbpFt8L 1YLLXBSlHWzMck8xo+tGns8K190R9AJf7ybOWsmhROgBDnDnAbrfb0TATJolFkF1yGQb xm+Q==
X-Received: by 10.68.35.229 with SMTP id l5mr202044pbj.134.1383694874835; Tue, 05 Nov 2013 15:41:14 -0800 (PST)
Received: from [10.0.2.195] (71-84-176-17.dhcp.mdfd.or.charter.com. [71.84.176.17]) by mx.google.com with ESMTPSA id ql10sm35690369pbc.44.2013.11.05.15.41.13 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 05 Nov 2013 15:41:13 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_ADF8CC67-A92A-40DD-9B36-DF4C0AE82702"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1816\))
From: Lance Stout <lancestout@gmail.com>
In-Reply-To: <76A075A0-6A3B-4999-A22C-26D188604636@nostrum.com>
Date: Tue, 05 Nov 2013 15:41:11 -0800
Message-Id: <ECAA0EAA-7E7E-4931-A632-1B02C0303510@gmail.com>
References: <76A075A0-6A3B-4999-A22C-26D188604636@nostrum.com>
To: XMPP Working Group <xmpp@ietf.org>
X-Mailer: Apple Mail (2.1816)
Subject: Re: [xmpp] Comments/Questions on draft-ietf-xmpp-websocket
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2013 23:41:18 -0000
On Nov 5, 2013, at 10:25 AM, Ben Campbell <ben@nostrum.com> wrote: > (As individual) > > -- section 3.5: > > Does it make sense to distinguish a “clean” closure from otherwise? (Perhaps with a MUST close the stream for a clean closure...) Yes, it does make sense in the context of using XEP-0198 for stream management. I thought I had that defined, but it looks like one more sentence making that more explicit would be good. > -- 3.8: > > Is the client expected to know if it’s talking to a connection manager rather than the xmpp server? > > -- 3.9: > > Does this create problems if a server wants to force TLS? > > What are the security associations if a connection manager is in the path? Is it possible to have an e2e TLS SA between client and server if there’s a connection manager? IMO, the concept of third-party connection managers needs to go away. From the consuming side, I only see 'The XMPP Server' whose domain matches the cert used by the WebSocket connection. Now, in reality I may be talking to an intermediate connection manager/load balancer, but it is one provided by the same organization as the XMPP server proper and with the same level of trust (of course, using TLS for internal server links looks to be a good idea nowadays). But, what if you want to use a connection manager to establish a WebSocket connection to a domain that does not natively provide WebSocket access? You could use your own personal manager, in which case the trust issue goes back to that of a normal TCP session as long as you trust yourself for the security of the WebSocket data. However, it's game over security-wise if you have to use someone else's connection manager because the data has to be converted back to plaintext for WebSocket, particularly in order to satisfy the framing requirements. FWIW, from my experience, third-party connection managers are only used for Facebook. > -- 4: > > Should this section have normative language? > > This section has an informative reference to XEP-0156. On a quick read, I wonder if that should not be normative, in the sense that one needs to understand XEP-0156 to understand this section. OTOH, the DNS use of XMPP over TCP is defined in 6120, as it's pretty core to the protocol. Is it appropriate to reference a XEP for something like that? > > (I note that Peter said in a separate email that this XEP is about to change. But I'm not sure that changes my concern about referencing a XEP for something this fundamental to the protocol.) No opinion here either way. The updated XEP-0156, if accepted, would be a much nicer fit than the DNS method (by using the browser-accessible .well-known/host-meta file). We already have RFC 6120 referencing XEP-0156 for fallback discovery mechanisms. Ben: Are you suggesting that XEP-0156 needs to become an RFC or incorporated into 6120bis? > -- 5 (security considerations) > > Seems like we need more here. Is authentication still at xmpp level? (there's a brief mention of sasl handshakes—does anything change? If not, say so.) Good point. Consensus at one point was that authentication *can* be done at the WebSocket level (auth headers/session cookie/etc), but that a SASL EXTERNAL would be needed at the XMPP layer for it. I think this should be revisited Friday. > It’s probably worth noting that ws prevents you from using the cert toauthorize the xmpp service, rather than just the ws service. is that okay? Right, that would be an issue for third-pary connection managers. For a first party service, I think the WS server and the XMPP server should be responding as the same domain, since there is no distinguishing difference to the end client. > In general, I think we need to address the tension between XMPP/WebSocket removing some degree of application layer control over how TLS is used, while at the same time we have a draft from Peter that proposes to strengthen the rules for TLS in XMPP. I don't necessarily know whether that's a problem or not--but we should explicitly discuss it and document that discussion here. +1 to discussion. -- Lance
- [xmpp] Comments/Questions on draft-ietf-xmpp-webs… Ben Campbell
- Re: [xmpp] Comments/Questions on draft-ietf-xmpp-… Lance Stout