From 0d4e0b9b16a803550d02d56429f4660d1be250ae Mon Sep 17 00:00:00 2001 From: stpeter Date: Tue, 12 Apr 2011 07:57:50 -0600 Subject: [PATCH] updated TLS reference --- xep-0138.xml | 2 +- xep-0174.xml | 2 +- xep-0207.xml | 2 +- xep-0219.xml | 4 ++-- xep-0225.xml | 2 +- xep-0246.xml | 4 ++-- xep-0250.xml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/xep-0138.xml b/xep-0138.xml index 1ff09ee2..69fe6c75 100644 --- a/xep-0138.xml +++ b/xep-0138.xml @@ -93,7 +93,7 @@ -

&xmppcore; specifies the use of Transport Layer Security (TLS; see &rfc4346;) for encryption of XML streams, and TLS includes the ability to compress encrypted traffic (see &rfc3749;). However, not all computing platforms are able to implement TLS, and traffic compression may be desirable for communication by applications on such computing platforms. This document defines a mechanism for negotiating the compression of XML streams outside the context of TLS.

+

&xmppcore; specifies the use of Transport Layer Security (TLS; see &rfc5246;) for encryption of XML streams, and TLS includes the ability to compress encrypted traffic (see &rfc3749;). However, not all computing platforms are able to implement TLS, and traffic compression may be desirable for communication by applications on such computing platforms. This document defines a mechanism for negotiating the compression of XML streams outside the context of TLS.

 diff --git a/xep-0174.xml b/xep-0174.xml index 28b4112a..a1312546 100644 --- a/xep-0174.xml +++ b/xep-0174.xml @@ -498,7 +498,7 @@ _presence._tcp.local. IN NULL raw-binary-data-here -

XMPP networks use TLS (&rfc4346;) for channel encryption, SASL (&rfc4422;) for authentication, and the Domain Name System (&rfc1034;) for weak validation of server hostnames; these technologies help to ensure the identity of sending entities and to encrypt XML streams. By contrast, zero-configuration networking uses dynamic discovery and asserted machine names as the basis of sender identity. Therefore, serverless messaging does not result in authenticated identities in the same way that XMPP itself does, nor does it provide for an encrypted channel between entities.

+

XMPP networks use TLS (&rfc5246;) for channel encryption, SASL (&rfc4422;) for authentication, and the Domain Name System (&rfc1034;) for weak validation of server hostnames; these technologies help to ensure the identity of sending entities and to encrypt XML streams. By contrast, zero-configuration networking uses dynamic discovery and asserted machine names as the basis of sender identity. Therefore, serverless messaging does not result in authenticated identities in the same way that XMPP itself does, nor does it provide for an encrypted channel between entities.

To secure communications between serverless entities, it is RECOMMENDED to negotiate the use of TLS and SASL for the XML stream as described in RFC 3920. However, subject to client configuration and local service policies, an entity MAY accept an unauthenticated and unencrypted channel, in which case the client SHOULD warn the human user that the channel is unauthenticated and unencrypted.

 diff --git a/xep-0207.xml b/xep-0207.xml index 658f2708..9d670e02 100644 --- a/xep-0207.xml +++ b/xep-0207.xml @@ -130,7 +130,7 @@ ]]> -

It is true that in this case the packets are significantly larger in the pubsub realization than in the old-fashioned presence realization. This is the price of elegance. Implementations SHOULD use native Transport Layer Security compression (see &rfc4346;) or &xep0138; at the application layer to conserve bandwidth.

+

It is true that in this case the packets are significantly larger in the pubsub realization than in the old-fashioned presence realization. This is the price of elegance. Implementations SHOULD use native Transport Layer Security compression (see &rfc5246;) or &xep0138; at the application layer to conserve bandwidth.

 diff --git a/xep-0219.xml b/xep-0219.xml index 5a409590..96b19ad0 100644 --- a/xep-0219.xml +++ b/xep-0219.xml @@ -67,7 +67,7 @@

Note: This specification has been retracted by the author because the problem is not compelling and a real solution would be too complicated.

-

When two XMPP users communicate, one or both of them may want to know the status of the XMPP communications path (i.e., of all the hops) between them. While the primary motivation is to determine if all the hops are secured via Transport Layer Security (see &rfc4346;) as specified for XMPP in &rfc3920;, more general information about the communications path may also be of interest.

+

When two XMPP users communicate, one or both of them may want to know the status of the XMPP communications path (i.e., of all the hops) between them. While the primary motivation is to determine if all the hops are secured via Transport Layer Security (see &rfc5246;) as specified for XMPP in &rfc3920;, more general information about the communications path may also be of interest.

This document describes a protocol for discovering such information, similar in spirit to the traceroute protocol specified in &rfc1393; but specific to XMPP.

 @@ -209,7 +209,7 @@ ]]>

The 'delay' attribute is OPTIONAL. If included, it represents the time in milliseconds that it took for the respondent to receive a reply from the target or intermediate respondent.

The 'ip' attribute is OPTIONAL. If included, it represents the IPv4 or IPv6 address of the target or intermediate respondent.

-

The 'encrypted' attribute is REQUIRED. It is a boolean &BOOLEANNOTE; that represents whether the hop in question is encrypted via Transport Layer Security (see &rfc4346;) or at a legacy SSL port.

+

The 'encrypted' attribute is REQUIRED. It is a boolean &BOOLEANNOTE; that represents whether the hop in question is encrypted via Transport Layer Security (see &rfc5246;) or at a legacy SSL port.

The 'auth' attribute is REQUIRED. It represents whether and how the hop in question is authenticated, in particular via one of the following means:

  • A Simple Authentication and Security Layer mechanism (see &rfc4422; for the specification and &ianasasl; for a list of registered SASL mechanisms; the names for standardized, non-obsolete mechanisms are used as values of the 'auth' attribute).
    • diff --git a/xep-0225.xml b/xep-0225.xml index af78e064..ee214036 100644 --- a/xep-0225.xml +++ b/xep-0225.xml @@ -43,7 +43,7 @@

    &xep0114; defines a protocol that enables a server component to connect to an XMPP server. However, there are a number of perceived limitations with that protocol:

      -
    • It does not support Transport Layer Security (TLS; see &rfc4346;) for channel encryption.
      • +
    • It does not support Transport Layer Security (TLS; see &rfc5246;) for channel encryption.
    • It does not support the Simple Authentication and Security Layer (SASL; see &rfc4422;) for authentication.
    • It does not enable a component to bind multiple hostnames to one stream (as, for example, a client can bind multiple resource identifiers).
    • It multiplies namespaces beyond necessity, adding the "jabber:component:accept" and "jabber:component:connect" namespaces to "jabber:client" and "jabber:server".
      • diff --git a/xep-0246.xml b/xep-0246.xml index 139e7ff5..f819afc2 100644 --- a/xep-0246.xml +++ b/xep-0246.xml @@ -77,10 +77,10 @@ -

      The mere exchange of stream headers results in an unencrypted and unauthenticated channel between the two entities. The entities SHOULD upgrade the channel to an encrypted stream using the XMPP STARTTLS command defined in &xmppcore; using &rfc4346;, optionally followed by SASL negotiation for mutual authentication (see &rfc4422;).

      +

      The mere exchange of stream headers results in an unencrypted and unauthenticated channel between the two entities. The entities SHOULD upgrade the channel to an encrypted stream using the XMPP STARTTLS command defined in &xmppcore; using &rfc5246;, optionally followed by SASL negotiation for mutual authentication (see &rfc4422;).

      End-to-end XML streams can be negotiated between two XMPP clients, between an XMPP client and a remote XMPP service (i.e., a service with which a client does not have a direct XML stream, such as a remote &xep0045; room), or between two remote XMPP services. Therefore, if standard X.509 certificates are used then a party to an e2e XML stream will present either a client certificate or a server certificate as appropriate. If X.509 certificates are used, they MUST at a minimum be generated and validated in accordance with the certificate guidelines guidelines provided in &rfc6120;; however, applications of end-to-end XML streams MAY define supplemental guidelines for certificate validation in the context of particular architectures, such as XEP-0174 for link-local streams and XEP-0247 for direct or mediated streams negotiated through XMPP servers.

      To ease the transition from the PGP-based object encryption method specified in &xep0027;, clients using TLS for e2e streams MAY use the OpenPGP TLS extension defined in &rfc5081; (if available).

      -

      Use of other TLS extensions MAY be appropriate as well, including those defined in &rfc4346; and &rfc5054;.

      +

      Use of other TLS extensions MAY be appropriate as well, including those defined in &rfc5246; and &rfc5054;.

       diff --git a/xep-0250.xml b/xep-0250.xml index c244dfe3..aeb88217 100644 --- a/xep-0250.xml +++ b/xep-0250.xml @@ -56,7 +56,7 @@ -

      For secure client-to-client (C2C) communication the clients can use &xep0174; or &xep0247; to open a connection between the two clients. To open an XMPP connection &xep0246; defines a stream setup similar to the setup used by client-server communications. To secure the communication the extension defines the use of Transport Layer Security as defined in &rfc4346; for encryption and authentication. XEP-0246 suggest to use the OpenPGP TLS extension but does not specify how to negotiate if both peers support the extension and if they are able to verify the OpenPGP key. It makes no sense to use OpenPGP instead of X.509 certificates if there is also no trust on OpenPGP level. This document describes how to negotiate how to use TLS to exchange possible extensions and key fingerprints before the actual TLS handshake.

      +

      For secure client-to-client (C2C) communication the clients can use &xep0174; or &xep0247; to open a connection between the two clients. To open an XMPP connection &xep0246; defines a stream setup similar to the setup used by client-server communications. To secure the communication the extension defines the use of Transport Layer Security as defined in &rfc5246; for encryption and authentication. XEP-0246 suggest to use the OpenPGP TLS extension but does not specify how to negotiate if both peers support the extension and if they are able to verify the OpenPGP key. It makes no sense to use OpenPGP instead of X.509 certificates if there is also no trust on OpenPGP level. This document describes how to negotiate how to use TLS to exchange possible extensions and key fingerprints before the actual TLS handshake.

      After the TLS handshake both communication partners MUST be sure that they are communicating with the correct person without a man-in-the-middle.