[xmpp] Comments/Questions on draft-ietf-xmpp-websocket

[Ben Campbell <ben@nostrum.com>]

(As individual)

-- section 3.5:

Does it make sense to distinguish a “clean” closure from otherwise? (Perhaps with a MUST close the stream for a clean closure...)

-- 3.8:

Is the client expected to know if it’s talking to a connection manager rather than the xmpp server?

-- 3.9:

Does this create problems if a server wants to force TLS? 

What are the security associations if a connection manager is in the path? Is it possible to have an e2e TLS SA between client and server if there’s a connection manager?

-- 4:

Should this section have normative language?

This section has an informative reference to XEP-0156. On a quick read, I wonder if that should not be normative, in the sense that one needs to understand XEP-0156 to understand this section. OTOH, the DNS use of XMPP over TCP is defined in 6120, as it's pretty core to the protocol. Is it appropriate to reference a XEP for something like that?

(I note that Peter said in a separate email that this XEP is about to change. But I'm not sure that changes my concern about referencing a XEP for something this fundamental to the protocol.)

-- 5 (security considerations)

Seems like we need more here. Is authentication still at xmpp level? (there's a brief mention of sasl handshakes—does anything change? If not, say so.) 

It’s probably worth noting that ws prevents you from using the cert toauthorize the xmpp service, rather than just the ws service. is that okay?

In general, I think we need to address the tension between XMPP/WebSocket removing some degree of application layer control over how TLS is used, while  at the same time we have a draft from Peter that proposes to strengthen the rules for TLS in XMPP. I don't necessarily know whether that's a problem or not--but we should explicitly discuss it and document that discussion here.

Thanks!

Ben.