[xmpp] Protocol Action: 'PKIX over Secure HTTP (POSH)' to Proposed Standard (draft-ietf-xmpp-posh-06.txt)

The IESG <iesg-secretary@ietf.org> Thu, 10 September 2015 00:54 UTC

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150910005405.1167.42876.idtracker@ietfa.amsl.com>
Date: Wed, 09 Sep 2015 17:54:05 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/xmpp/euCG7kc1PdgkGB2sU3vyD5-tk2g>
Cc: xmpp chair <xmpp-chairs@ietf.org>, xmpp mailing list <xmpp@ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: [xmpp] Protocol Action: 'PKIX over Secure HTTP (POSH)' to Proposed Standard (draft-ietf-xmpp-posh-06.txt)

The IESG has approved the following document:
- 'PKIX over Secure HTTP (POSH)'
  (draft-ietf-xmpp-posh-06.txt) as Proposed Standard

This document is the product of the Extensible Messaging and Presence
Protocol Working Group.

The IESG contact persons are Barry Leiba, Ben Campbell and Alissa Cooper.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-xmpp-posh/





Technical Summary

This document defines the "PKIX over Secure HTTP (POSH)" prooftype, to
be used as part of the XMPP Domain Name Assertion (DNA) framework. From
the abstract:

"Experience has shown that it is extremely difficult to deploy proper
PKIX certificates for TLS in multi-tenanted environments.  As a result,
domains hosted in such environments often deploy applications using
certificates that identify the hosting service, not the hosted domain.
Such deployments force end users and peer services to accept a
certificate with an improper identifier, resulting in obvious security
implications.  This document defines two methods that make it easier to
deploy certificates for proper server identity checking in non-HTTP
application protocols.  While these methods developed for use in the
Extensible Messaging and Presence Protocol (XMPP) as a Domain Name
Association (DNA) prooftype, they might also be usable in other non-HTTP
application protocols."

The XMPP working group believes that this technology is ready for wider
implementation, and would benefit from interoperability testing.
Therefore we request the document to be published as a "Proposed
Standard".


Working Group Summary

   Was there anything in the WG process that is worth noting?
   For example, was there controversy about particular points 
   or were there decisions where the consensus was
   particularly rough? 

Document Quality

During discussion in XMPP, it became apparent that POSH might have more
general applicability. There was a POSH BoF in the Security area at IETF
87. While there was recognition that POSH could be generally useful,
there was no consensus to expand the effort beyond the needs of XMPP.
Therefore POSH was adopted as an XMPP work item, with the idea that we
would make it as general as we reasonable could without bogging down the
work, but that we would not attempt to meet the specific requirements
for applications other than XMPP.

The  chairs believe POSH has reached a broad consensus in XMPP. There
has been considerable review in XMPP, and in the Security area due to
the BoF. POSH does not need targeted reviews beyond the usual Gen-ART,
SecDir, etc reviews.

Reviews have concentrated primarily on clarifying the specification rather
than altering how it works. Some members of the working group (including
an author) have expressed the opinion that this is a stopgap technology rather
than a long-term plan.

At the time of this writing, the shepherd is aware of two experimental
implementations which have not been deployed - however various implementors
of XMPP have expressed some interest, and some are in progress.

Personnel

The document shepherd is Dave Cridland.
The responsible Area Director is Ben Campbell.

[xmpp] Protocol Action: 'PKIX over Secure HTTP (P… The IESG