From 7c185233b8563a14b45c048e09c9d5eaa368cfe2 Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Sat, 12 Mar 2016 16:11:07 -0600 Subject: [PATCH] Update references to RFC 7712 (now out of draft) Remove unused ref to the now out of draft dns-dna --- xep-0220.xml | 8 +++++++- xep.ent | 4 +--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/xep-0220.xml b/xep-0220.xml index 6a71f07f..035b7323 100644 --- a/xep-0220.xml +++ b/xep-0220.xml @@ -26,6 +26,12 @@ &jer; &stpeter; &fippo; + + 1.1.1 + 2015-03-12 + ssw + Update DNA framework reference to RFC 7712. + 1.1 2014-08-05 @@ -196,7 +202,7 @@

Traditionally, the verification accomplished in Server Dialback has depended on the Domain Name System (DNS) and the use of keys based on a shared secret known to all XMPP servers within a given administrative domain. It is a proof-of-possession protocol in the sense of &rfc4949; which asserts that the initiating server and the authoritative server are associated with each other. The relative strength or weakness of the verification depends in part on the strength or weakness of the process for resolving the domain names of the authoritative server; in particular, if DNSSEC is not used then Server Dialback results in weak identity verification, whereas if DNSSEC is used then Server Dialback can result in fairly strong identity verification.

Since October 2000, the use of Server Dialback (even absent DNSSEC) has made it more difficult to spoof the hostnames of servers (and therefore the addresses of sent messages) on the XMPP network.

Server Dialback is unidirectional, and results in verification for one XML stream in one direction. Because traditionally Server-to-Server connections are used unidirectionally, Server Dialback needs to be completed in each direction in order to enable bidirectional communication between two domains (unless &xep0288; is used).

-

Furthermore, because a separate TCP connection is mandated for each domain pair, the use of server dialback results in significant scalability challenges for large XMPP service providers that host many domains (see &dna-framework; for a possible solution).

+

Furthermore, because a separate TCP connection is mandated for each domain pair, the use of server dialback results in significant scalability challenges for large XMPP service providers that host many domains (see &rfc7712; for a possible solution).

Finally, dialback signalling can be used without basing the identity verification on checking of the dialback key provided by the Initiating Server. As one example, if Transport Layer Security (TLS) is used then the Receiving Server can attempt to verify the certificate presented by the Initiating Server, either according to the PKIX-based rules specified in &xep0178;, RFC 6120, and &rfc6125; or by checking that the public key or certificate of the Initiating Server matches a public key or certificate obtained via &posh;. However, this technique of using dialback signalling without verifying the dialback key (sometimes called "dialback without dialing back" since the Receiving Server does not contact the Authoritative Server) is not described in this document.

diff --git a/xep.ent b/xep.ent index 6904b071..2f96cc81 100644 --- a/xep.ent +++ b/xep.ent @@ -646,6 +646,7 @@ THE SOFTWARE. RFC 7572 RFC 7572: Interworking between the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP): Instant Messaging <http://tools.ietf.org/html/rfc7572>." > RFC 7622 RFC 7622: Extensible Messaging and Presence Protocol (XMPP): Address Format <http://tools.ietf.org/html/rfc7622>." > RFC 7395 RFC 7395: An Extensible Messaging and Presence Protocol (XMPP) Subprotocol for WebSocket <http://tools.ietf.org/html/rfc7395>." > +RFC 7712 RFC 7712: Domain Name Associations (DNA) in the Extensible Messaging and Presence Protocol (XMPP)<http://tools.ietf.org/html/rfc7712>." > @@ -653,8 +654,6 @@ THE SOFTWARE. AtomSub Atomsub: Transporting Atom Notifications over the Publish-Subscribe Extension to the Extensible Messaging and Presence Protocol (XMPP) <http://xmpp.org/internet-drafts/draft-saintandre-atompub-notify-07.html>. Work in progress." > draft-ietf-mmusic-sdp-bundle-negotiation Negotiating Media Multiplexing Using the Session Description Protocol (SDP) <https://datatracker.ietf.org/doc/draft-ietf-mmusic-sdp-bundle-negotiation/>. Work in progress." > CUSAX CUSAX: Combined Use of the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP) <https://datatracker.ietf.org/doc/draft-ivov-xmpp-cusax/>. Work in progress." > -draft-miller-xmpp-dnssec-prooftype Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations <http://datatracker.ietf.org/doc/draft-miller-xmpp-dnssec-prooftype/>. Work in progress." > -DNA Domain Name Associations (DNA) in the Extensible Messaging and Presence Protocol (XMPP) <http://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/>. Work in progress." > DTLS-SRTP Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP) <http://tools.ietf.org/html/draft-ietf-avt-dtls-srtp>. Work in progress." > Geopriv Policy Geopriv Policy <http://tools.ietf.org/html/draft-ietf-geopriv-policy>. Work in progress." > IAX IAX: Inter-Asterisk eXchange Version 2 <http://tools.ietf.org/html/draft-ietf-guy-iax>. Work in progress." > @@ -709,7 +708,6 @@ IANA Service Location Protocol, Version 2 (SLPv2) Templates XMPP Extensible Messaging and Presence Protocol (XMPP) <http://xmpp.org/>." > XMPP Core RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core <http://tools.ietf.org/html/rfc6120>." > XMPP CPIM RFC 3922: Mapping the Extensible Messaging and Presence Protocol (XMPP) to Common Presence and Instant Messaging (CPIM) <http://tools.ietf.org/html/rfc3922>." > -Domain Name Assertions Domain Name Assertions <http://tools.ietf.org/html/draft-ietf-xmpp-dna>." > XMPP E2E RFC 3923: End-to-End Signing and Object Encryption for the Extensible Messaging and Presence Protocol (XMPP) <http://tools.ietf.org/html/rfc3923>." > XMPP IM RFC 6121: Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence <http://tools.ietf.org/html/rfc6121>." > XMPP URI Scheme Internationalized Resource Identifiers (IRIs) and Uniform Resource Identifiers (URIs) for the Extensible Messaging and Presence Protocol (XMPP) <http://tools.ietf.org/html/rfc5122>." >