From 2e6efba85c8390f162b9e1596ee9a1fa37cf9b82 Mon Sep 17 00:00:00 2001 From: "Ruslan N. Marchenko" Date: Wed, 29 Jul 2020 07:38:35 +0200 Subject: [PATCH 1/6] Correct MAM UID "not-found" note --- xep-0313.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xep-0313.xml b/xep-0313.xml index 8a6ddb2c..7538d1a4 100644 --- a/xep-0313.xml +++ b/xep-0313.xml @@ -430,7 +430,7 @@ ]]> -

If any UID requested by the client in any of the 'before-id', 'after-id' or 'ids' form fields, the server MUST return an item-not-found error in response to the query.

+

If any UID requested by the client in any of the 'before-id', 'after-id' or 'ids' form fields is not present in the archive, the server MUST return an item-not-found error in response to the query.

From 4b020e18f1d579d37566417556f7db0464cb7b1d Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Tue, 4 Aug 2020 12:49:04 +0200 Subject: [PATCH 2/6] XEP-0440: Version 0.2.0 of "XEP-0440: SASL Channel-Binding Type Capability" --- xep-0440.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 61 insertions(+), 4 deletions(-) diff --git a/xep-0440.xml b/xep-0440.xml index bbdbfadf..b54764c3 100644 --- a/xep-0440.xml +++ b/xep-0440.xml @@ -23,6 +23,15 @@ sasl-cb-types &flow; + + 0.2.0 + 2020-08-04 + fs + + Discuss interaction with SASL mechanism and add security considerations. + Recommend implementation of tls-server-end-point. + + 0.1.0 2020-06-14 @@ -88,11 +97,56 @@ + + +

Some channel-binding enabled SASL mechanisms reflect the server's + presumed channel-binding abilities back to the server. This prevents + SASL-mechanism stripping attacks, where a Man in the Middle (MITM) + removes certain SASL mechanisms in an attempt to downgrade the + mechanism choosen for authentication to a non-channel-binding enabled + one. An example of a SASL mechanism family with this feature is + &rfc5802;. This standard specifies the gs2-cbind-flag. The flag has a + tristate value of "I don't support channel-binding" (n), "I think you + do not support channel-binding, but I do" (y), or, "Let us use + channel-binding type X" (p).

+ +

Clients using the information provided + via <sasl-channel-binding/> MAY want to indicate to the server + that they do not support channel-binding (even if they do) if no + mutual supported channel-binding type was found. The only alternative + is, that the client signals the server that he believes that the server + does not support channel binding. But this may cause the server to + terminate the connection, because it indicates a potential ongoing + SASL-mechanism stripping attack.

+ + + -

The author belives that this document itself does not yield any - new security considerations.Hopefully somebody will correct him, in - case he is wrong.

+

If a client signals to the server that he does not support + channel binding, because it found no mutual supported + channel-binding types, another MITM attack + vector is introduced. An active attacker could replace the + <sasl-channel-binding;> list with channel bindings unlikely + (or impossible) to be supported by the client. If the client is + configured to use non-channel-binding SASL mechanisms as a fallback, + this could be used to downgrade the connection security. Note that + this attack is a different one than the SASL-mechanism stripping one: + Here the attacker tempers with the announced channel-binding types, + i.e., the values within <sasl-channel-binding;>

+ +

Depending on the application's security policy, clients may + refrain from falling back to non-channel-binding SASL mechanisms + if no mutual supported channel-binding type is available. + Alternatively, they may try channel-binding with a supported type + nevertheless. To mitigate the attack describe above, clients + could "pin" the announced channel bindings types by a service. In that + case, implementations may want to allow the set of pinned channel-binding + types to be extended to stronger ones.

+ +

As further mitigation, it is RECOMMENDED to implement the + channel-binding type tls-server-end-point (&rfc5929;) to increase the + probability of a mutual supported channel-binding type.

 @@ -117,7 +171,10 @@

Thanks to Sam Whited for the discussion about the underlying - issue and incentivizing me to come up with this extension.

+ issue and incentivizing me to come up with this extension. Further + thanks goes to Ruslan N. Marchenko for pointing out the possible + MITM attack vector. Last but not least, Dave Cridland provided + valuable feedback.

 From d08ec2832d09b8851a777a8fc5a2ebf77e3ffd03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Tue, 4 Aug 2020 17:43:09 +0200 Subject: [PATCH 3/6] XEP-0313: add revision block --- xep-0313.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/xep-0313.xml b/xep-0313.xml index 7538d1a4..2d7ff405 100644 --- a/xep-0313.xml +++ b/xep-0313.xml @@ -28,6 +28,14 @@ &mwild; &ksmith; + + 0.7.1 + 2020-08-04 + rufferson + +

Fix missing part of sentence to make more sense

+ + 0.7.0 2020-03-20 From f7e43277b8628ce6b650524ca5c2363e058718ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Tue, 4 Aug 2020 17:48:43 +0200 Subject: [PATCH 4/6] XEP-0048: Deprecate in favour of XEP-0402 --- xep-0048.xml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/xep-0048.xml b/xep-0048.xml index ecdb5914..305aed56 100644 --- a/xep-0048.xml +++ b/xep-0048.xml @@ -10,7 +10,7 @@ This specification defines an XML data format for use by XMPP clients in storing bookmarks to mult-user chatrooms and web pages. The chatroom bookmarking function includes the ability to auto-join rooms on login. &LEGALNOTICE; 0048 - Draft + Deprecated Standards Track Standards @@ -19,7 +19,9 @@ XEP-0223 - + + XEP-0402 + bookmarks http://www.xmpp.org/schemas/bookmarks.xsd @@ -32,6 +34,12 @@ &pgmillard; &stpeter; + + 1.2 + 2020-08-04 + XEP Editor (jsc) + Deprecate in favour of XEP-0402 + 1.1 2007-11-07 From 55f7a2073d03bd8710fa3781118800a76a569ca0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Tue, 4 Aug 2020 17:54:23 +0200 Subject: [PATCH 5/6] XEP-0411: Issue Last Call --- xep-0411.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xep-0411.xml b/xep-0411.xml index 01d9a105..1df087fa 100644 --- a/xep-0411.xml +++ b/xep-0411.xml @@ -10,7 +10,8 @@ This specification describes a method to migrate to PEP based bookmarks without loosing compatibility with client that still use Private XML. &LEGALNOTICE; 0411 - Deferred + Proposed + 2020-08-18 Standards Track Standards Council From 11b4f4ed6708c403f4bf285f53b033b6e204deef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Tue, 4 Aug 2020 17:54:48 +0200 Subject: [PATCH 6/6] XEP-0352: Issue Last Call --- xep-0352.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xep-0352.xml b/xep-0352.xml index 5dff6569..3502747a 100644 --- a/xep-0352.xml +++ b/xep-0352.xml @@ -10,7 +10,8 @@ This document defines a way for the client to indicate its active/inactive state. &LEGALNOTICE; 0352 - Deferred + Proposed + 2020-08-18 2017-12-21 2017-11-15 2017-03-28