From ce07ca98283927929d54f25b362b9b288f8f764d Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Thu, 9 Mar 2017 09:25:59 -0600 Subject: [PATCH] XEP-0368: Advance to draft Also various editorial formatting fixes. --- xep-0368.xml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/xep-0368.xml b/xep-0368.xml index 501cb225..62eb2d2a 100644 --- a/xep-0368.xml +++ b/xep-0368.xml @@ -10,7 +10,7 @@ This specification defines a procedure to look up xmpps-client/xmpps-server SRV records (for direct TLS connections) in addition to xmpp-client/xmpp-server and mix weights/priorities. &LEGALNOTICE; 0368 - Proposed + Draft 2017-02-22 2017-02-11 Standards Track @@ -29,6 +29,12 @@ travis@burtrum.org travis@burtrum.org + + 1.0.0 + 2017-03-09 + XEP Editor (ssw) +

Advance to draft as approved by the XMPP Council.

 + 0.1.2 2017-02-15 @@ -78,17 +84,17 @@ -

XMPP Core defines SRV records only where 'service' is 'xmpp-client' and 'xmpp-server'. This document specifies to additionally look up records where 'service' is 'xmpps-client' and 'xmpps-server'. This document specifies that the following additional rules apply:

+

&xmppcore; defines SRV records only where 'service' is 'xmpp-client' and 'xmpp-server'. This document specifies to additionally look up records where 'service' is 'xmpps-client' and 'xmpps-server'. This document specifies that the following additional rules apply:

    -
  1. Both 'xmpp-' and 'xmpps-' records SHOULD be treated as the same record with regard to connection order as specified by RFC 2782, in that all priorities and weights are mixed. This enables the server operator to decide if they would rather clients connect with STARTTLS or direct TLS. However, clients MAY choose to prefer one type of connection over the other.
    2. +
  2. Both 'xmpp-' and 'xmpps-' records SHOULD be treated as the same record with regard to connection order as specified by &rfc2782;, in that all priorities and weights are mixed. This enables the server operator to decide if they would rather clients connect with STARTTLS or direct TLS. However, clients MAY choose to prefer one type of connection over the other.
  3. Where 'service' starts with 'xmpps-' the client or server MUST connect with direct TLS enabled.
    4. -
  4. Where 'service' starts with 'xmpp-' the client or server MUST NOT connect with direct TLS enabled, connection method is unchanged from XMPP Core.
    5. -
  5. TLS certificates MUST be validated the same way as for STARTTLS. (i.e., as specified in XMPP Core).
    6. +
  6. Where 'service' starts with 'xmpp-' the client or server MUST NOT connect with direct TLS enabled, connection method is unchanged from &xmppcore;.
    7. +
  7. TLS certificates MUST be validated the same way as for STARTTLS. (i.e., as specified in &xmppcore;).
  8. STARTTLS MUST NOT be used over direct TLS connections.
  9. Client or server MUST set SNI TLS extension to the JID's domain part.
  10. Client or server SHOULD set the ALPN (&rfc7301;) TLS extension.
    11. -
  11. When ALPN is used, the ALPN protocol MUST be 'xmpp-client', where the SRV service is 'xmpps-client'.
    12. -
  12. When ALPN is used, the ALPN protocol MUST be 'xmpp-server', where the SRV service is 'xmpps-server'.
    13. +
  13. When ALPN is used, the ALPN protocol MUST be 'xmpp-client', where the SRV service is 'xmpps-client'.
    14. +
  14. When ALPN is used, the ALPN protocol MUST be 'xmpp-server', where the SRV service is 'xmpps-server'.
@@ -102,20 +108,20 @@

Direct TLS provides AT LEAST the same level of security as STARTTLS, and more privacy without ALPN as using STARTTLS leaks that the underlying protocol is XMPP, while any direct TLS stream should be indistinguishable from any other direct TLS stream. Direct TLS provides more security than STARTTLS if &rfc7590; is not followed, as it isn't subject to STARTTLS stripping. All security setup and certificate validation code SHOULD be shared between the STARTTLS and direct TLS logic as well. All SRV-based connection methods are subject to DNS modification/stripping/spoofing of SRV records in the absence of DNSSEC.

 -

ALPN (RFC 7301) requires registration of new Protocol IDs. This document specifies two Protocol IDs:

+

ALPN (&rfc7301;) requires registration of new Protocol IDs. This document specifies two Protocol IDs:

Protocol: XMPP jabber:client namespace
Identification Sequence:
   0x78 0x6d 0x70 0x70 0x2d 0x63 0x6c 0x69 0x65 0x6e 0x74 ("xmpp-client")
-Reference: [XEP-0368] +Reference: [&xep0368;]

Protocol: XMPP jabber:server namespace
Identification Sequence:
   0x78 0x6d 0x70 0x70 0x2d 0x73 0x65 0x72 0x76 0x65 0x72 ("xmpp-server")
-Reference: [XEP-0368] +Reference: [&xep0368;]

The ALPN registry is currently located here.

@@ -129,6 +135,6 @@ Reference: [XEP-0368 -

There are no XMPP Registrar Considerations.

+

This document requires no interaction with the ®ISTRAR;.