| < draft-ietf-uta-xmpp-02.txt | draft-ietf-uta-xmpp-03.txt > | |||
|---|---|---|---|---|
| Network Working Group P. Saint-Andre | Network Working Group P. Saint-Andre | |||
| Internet-Draft &yet | Internet-Draft &yet | |||
| Updates: 6120 (if approved) T. Alkemade | Updates: 6120 (if approved) T. Alkemade | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: March 26, 2015 September 22, 2014 | Expires: May 15, 2015 November 11, 2014 | |||
| Use of Transport Layer Security (TLS) in the Extensible Messaging and | Use of Transport Layer Security (TLS) in the Extensible Messaging and | |||
| Presence Protocol (XMPP) | Presence Protocol (XMPP) | |||
| draft-ietf-uta-xmpp-02 | draft-ietf-uta-xmpp-03 | |||
| Abstract | Abstract | |||
| This document provides recommendations for the use of Transport Layer | This document provides recommendations for the use of Transport Layer | |||
| Security (TLS) in the Extensible Messaging and Presence Protocol | Security (TLS) in the Extensible Messaging and Presence Protocol | |||
| (XMPP). This document updates RFC 6120. | (XMPP). This document updates RFC 6120. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 26, 2015. | This Internet-Draft will expire on May 15, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 11 ¶ | skipping to change at page 2, line 11 ¶ | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Support for TLS . . . . . . . . . . . . . . . . . . . . . 3 | 3.1. Support for TLS . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.2. Protocol Versions . . . . . . . . . . . . . . . . . . . . 3 | 3.2. Compression . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 3 | 3.3. Session Resumption . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.4. Public Key Length . . . . . . . . . . . . . . . . . . . . 3 | 3.4. Authenticated Connections . . . . . . . . . . . . . . . . 3 | |||
| 3.5. Compression . . . . . . . . . . . . . . . . . . . . . . . 3 | 3.5. Unauthenticated Connections . . . . . . . . . . . . . . . 4 | |||
| 3.6. Session Resumption . . . . . . . . . . . . . . . . . . . 4 | 3.6. Server Name Indication . . . . . . . . . . . . . . . . . 4 | |||
| 3.7. Authenticated Connections . . . . . . . . . . . . . . . . 4 | 3.7. Human Factors . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.8. Unauthenticated Connections . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.9. Server Name Indication . . . . . . . . . . . . . . . . . 4 | ||||
| 3.10. Human Factors . . . . . . . . . . . . . . . . . . . . . . 5 | ||||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | ||||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Appendix A. Implementation Notes . . . . . . . . . . . . . . . . 7 | Appendix A. Implementation Notes . . . . . . . . . . . . . . . . 7 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 7 | Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| The Extensible Messaging and Presence Protocol (XMPP) [RFC6120] | The Extensible Messaging and Presence Protocol (XMPP) [RFC6120] | |||
| (along with its precursor, the so-called "Jabber protocol") has used | (along with its precursor, the so-called "Jabber protocol") has used | |||
| Transport Layer Security (TLS) [RFC5246] (along with its precursor, | Transport Layer Security (TLS) [RFC5246] (along with its precursor, | |||
| Secure Sockets Layer or SSL) since 1999. Both [RFC6120] and its | Secure Sockets Layer or SSL) since 1999. Both [RFC6120] and its | |||
| predecessor [RFC3920] provided recommendations regarding the use of | predecessor [RFC3920] provided recommendations regarding the use of | |||
| TLS in XMPP. In order to address the evolving threat model on the | TLS in XMPP. In order to address the evolving threat model on the | |||
| Internet today, this document provides stronger recommendations based | Internet today, this document provides stronger recommendations. | |||
| on [I-D.ietf-uta-tls-bcp]. This document updates [RFC6120]. | ||||
| NOTE: Unless explicitly noted otherwise, all of the | ||||
| recommendations specified in [I-D.ietf-uta-tls-bcp] apply to XMPP. | ||||
| In the main, this document merely provides supplementary | ||||
| information; those who implement and deploy XMPP technologies are | ||||
| expected to follow the recommendations of [I-D.ietf-uta-tls-bcp]. | ||||
| This document updates [RFC6120]. | ||||
| 2. Terminology | 2. Terminology | |||
| Various security-related terms are to be understood in the sense | Various security-related terms are to be understood in the sense | |||
| defined in [RFC4949]. | defined in [RFC4949]. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| [RFC2119]. | [RFC2119]. | |||
| 3. Recommendations | 3. Recommendations | |||
| 3.1. Support for TLS | 3.1. Support for TLS | |||
| Support for TLS (specifically, the XMPP profile of STARTTLS) is | Support for TLS (specifically, the XMPP profile of STARTTLS) is | |||
| mandatory for XMPP implementations, as already specified in [RFC6120] | mandatory for XMPP implementations, as already specified in [RFC6120] | |||
| and its predecessor [RFC3920]. | and its predecessor [RFC3920]. | |||
| If the server to which a client or peer server connects does not | The server (i.e., the XMPP receiving entity) to which a client or | |||
| peer server (i.e., the XMPP initiating entity) connects might not | ||||
| offer a stream feature of <starttls xmlns='urn:ietf:params:xml:ns | offer a stream feature of <starttls xmlns='urn:ietf:params:xml:ns | |||
| :xmpp-tls'/> (thus indicating that it is an XMPP 1.0 server that | :xmpp-tls'/>. Although in general this stream feature indicates that | |||
| supports TLS), the initiating entity MUST NOT proceed with the stream | the server supports XMPP 1.0 and therefore supports TLS, it is | |||
| negotiation and MUST instead abort the connection attempt. Although | possible that this stream feature might be stripped out by an | |||
| XMPP servers SHOULD include the <required/> child element to indicate | attacker (see Section 2.1 of [I-D.ietf-uta-tls-attacks]). Therefore, | |||
| that negotiation of TLS is mandatory, clients and peer servers MUST | the initiating entity SHOULD proceed with the stream negotiation even | |||
| NOT depend on receiving the <required/> flag in determining whether | if the receiving entity does not advertise support for TLS. | |||
| TLS will be enforced for the stream. | Similarly, although a receiving entity SHOULD include the <required/> | |||
| child element to indicate that negotiation of TLS is mandatory, an | ||||
| 3.2. Protocol Versions | initiating entity MUST NOT depend on receiving the <required/> flag | |||
| in determining whether TLS will be enforced for the stream. | ||||
| Implementations MUST follow the recommendations in Section 4.1 of | ||||
| [I-D.ietf-uta-tls-bcp] as to supporting various TLS versions and | ||||
| avoiding fallback to SSL. | ||||
| 3.3. Cipher Suites | ||||
| Implementations MUST follow the recommendations in Section 5 of | ||||
| [I-D.ietf-uta-tls-bcp]. | ||||
| 3.4. Public Key Length | ||||
| Implementations MUST follow the recommendations in Section 5.4 of | ||||
| [I-D.ietf-uta-tls-bcp]. | ||||
| 3.5. Compression | ||||
| Implementations MUST follow the recommendations in Section 4.5 of | ||||
| [I-D.ietf-uta-tls-bcp]. | ||||
| XMPP supports an application-layer compression technology [XEP-0138], | 3.2. Compression | |||
| which might have slightly stronger security properties than TLS (at | ||||
| least because it is enabled after SASL authentication, as described | ||||
| in [XEP-0170]). | ||||
| 3.6. Session Resumption | XMPP supports an application-layer compression technology [XEP-0138]. | |||
| Although this XMPP extension might have slightly stronger security | ||||
| properties than TLS-layer compression (since it is enabled after SASL | ||||
| authentication, as described in [XEP-0170]), this document neither | ||||
| encourages nor discourages use of XMPP-layer compression. | ||||
| Implementations MUST follow the recommendations in Section 4.6 of | 3.3. Session Resumption | |||
| [I-D.ietf-uta-tls-bcp]. | ||||
| Use of session IDs [RFC5246] is RECOMMENDED instead of session | Use of session IDs [RFC5246] is RECOMMENDED instead of session | |||
| tickets [RFC5077], since XMPP does not in general use state | tickets [RFC5077], since XMPP does not in general use state | |||
| management technologies such as tickets or "cookies" [RFC6265]. | management technologies such as tickets or "cookies" [RFC6265]. | |||
| In XMPP, TLS session resumption can be used in concert with the XMPP | In XMPP, TLS session resumption can be used in concert with the XMPP | |||
| Stream Management extension; see [XEP-0198] for further details. | Stream Management extension; see [XEP-0198] for further details. | |||
| 3.7. Authenticated Connections | 3.4. Authenticated Connections | |||
| Both the core XMPP specification [RFC6120] and the "CertID" | Both the core XMPP specification [RFC6120] and the "CertID" | |||
| specification [RFC6125] provide recommendations and requirements for | specification [RFC6125] provide recommendations and requirements for | |||
| certificate validation in the context of authenticated connections. | certificate validation in the context of authenticated connections. | |||
| This document does not supersede those specifications. Wherever | This document does not supersede those specifications. Wherever | |||
| possible, it is best to prefer authenticated connections (along with | possible, it is best to prefer authenticated connections (along with | |||
| SASL [RFC4422]), as already stated in the core XMPP specification | SASL [RFC4422]), as already stated in the core XMPP specification | |||
| [RFC6120]. In particular, clients MUST authenticate servers. | [RFC6120]. In particular, clients MUST authenticate servers. | |||
| 3.8. Unauthenticated Connections | 3.5. Unauthenticated Connections | |||
| Given the pervasiveness of passive eavesdropping, even an | Given the pervasiveness of passive eavesdropping, even an | |||
| unauthenticated connection might be better than an unencrypted | unauthenticated connection might be better than an unencrypted | |||
| connection (this is similar to the "better than nothing security" | connection (this is similar to the "better than nothing security" | |||
| approach for IPsec [RFC5386]). In particular, because of current | approach for IPsec [RFC5386]). In particular, because of current | |||
| deployment challenges for authenticated connections between XMPP | deployment challenges for authenticated connections between XMPP | |||
| servers (see [I-D.ietf-xmpp-dna] for details), it might be reasonable | servers (see [I-D.ietf-xmpp-dna] and [I-D.ietf-xmpp-posh] for | |||
| for XMPP server implementations to accept unauthenticated connections | details), it might be reasonable for XMPP server implementations to | |||
| when the Server Dialback protocol [XEP-0220] is used for weak | accept unauthenticated connections when the Server Dialback protocol | |||
| identity verification; this will at least enable encryption of | [XEP-0220] is used for weak identity verification; this will at least | |||
| server-to-server connections. Unauthenticated connections include | enable encryption of server-to-server connections. Unauthenticated | |||
| connections negotiated using anonymous Diffie-Hellman algorithms or | connections include connections negotiated using anonymous Diffie- | |||
| using self-signed certificates, among other scenarios. | Hellman algorithms or using self-signed certificates, among other | |||
| scenarios. | ||||
| 3.9. Server Name Indication | 3.6. Server Name Indication | |||
| Although there is no harm in supporting the TLS Server Name | Although there is no harm in supporting the TLS Server Name | |||
| Indication (SNI) extension [RFC6066], this is not necessary since the | Indication (SNI) extension [RFC6066], this is not necessary since the | |||
| same function is served in XMPP by the 'to' address of the initial | same function is served in XMPP by the 'to' address of the initial | |||
| stream header as explained in Section 4.7.2 of [RFC6120]. | stream header as explained in Section 4.7.2 of [RFC6120]. | |||
| 3.10. Human Factors | 3.7. Human Factors | |||
| It is strongly encouraged that XMPP clients provide ways for end | It is strongly encouraged that XMPP clients provide ways for end | |||
| users (and that XMPP servers provide ways for administrators) to | users (and that XMPP servers provide ways for administrators) to | |||
| complete the following tasks: | complete the following tasks: | |||
| o Determine if a client-to-server or server-to-server connection is | o Determine if a client-to-server or server-to-server connection is | |||
| encrypted and authenticated. | encrypted and authenticated. | |||
| o Determine the version of TLS used for a client-to-server or | o Determine the version of TLS used for a client-to-server or | |||
| server-to-server connection. | server-to-server connection. | |||
| skipping to change at page 6, line 14 ¶ | skipping to change at page 5, line 40 ¶ | |||
| encryption technologies will serve to protect XMPP communications to | encryption technologies will serve to protect XMPP communications to | |||
| a measurable degree, compared to the alternatives. | a measurable degree, compared to the alternatives. | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [I-D.ietf-uta-tls-bcp] | [I-D.ietf-uta-tls-bcp] | |||
| Sheffer, Y., Holz, R., and P. Saint-Andre, | Sheffer, Y., Holz, R., and P. Saint-Andre, | |||
| "Recommendations for Secure Use of TLS and DTLS", draft- | "Recommendations for Secure Use of TLS and DTLS", draft- | |||
| ietf-uta-tls-bcp-03 (work in progress), September 2014. | ietf-uta-tls-bcp-07 (work in progress), November 2014. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC | |||
| 4949, August 2007. | 4949, August 2007. | |||
| [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, | [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, | |||
| "Transport Layer Security (TLS) Session Resumption without | "Transport Layer Security (TLS) Session Resumption without | |||
| Server-Side State", RFC 5077, January 2008. | Server-Side State", RFC 5077, January 2008. | |||
| skipping to change at page 6, line 40 ¶ | skipping to change at page 6, line 19 ¶ | |||
| Protocol (XMPP): Core", RFC 6120, March 2011. | Protocol (XMPP): Core", RFC 6120, March 2011. | |||
| [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | |||
| Verification of Domain-Based Application Service Identity | Verification of Domain-Based Application Service Identity | |||
| within Internet Public Key Infrastructure Using X.509 | within Internet Public Key Infrastructure Using X.509 | |||
| (PKIX) Certificates in the Context of Transport Layer | (PKIX) Certificates in the Context of Transport Layer | |||
| Security (TLS)", RFC 6125, March 2011. | Security (TLS)", RFC 6125, March 2011. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [I-D.ietf-uta-tls-attacks] | ||||
| Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing | ||||
| Current Attacks on TLS and DTLS", draft-ietf-uta-tls- | ||||
| attacks-05 (work in progress), October 2014. | ||||
| [I-D.ietf-xmpp-dna] | [I-D.ietf-xmpp-dna] | |||
| Saint-Andre, P. and M. Miller, "Domain Name Associations | Saint-Andre, P. and M. Miller, "Domain Name Associations | |||
| (DNA) in the Extensible Messaging and Presence Protocol | (DNA) in the Extensible Messaging and Presence Protocol | |||
| (XMPP)", draft-ietf-xmpp-dna-06 (work in progress), June | (XMPP)", draft-ietf-xmpp-dna-08 (work in progress), | |||
| 2014. | October 2014. | |||
| [I-D.ietf-xmpp-posh] | ||||
| Miller, M. and P. Saint-Andre, "PKIX over Secure HTTP | ||||
| (POSH)", draft-ietf-xmpp-posh-02 (work in progress), | ||||
| October 2014. | ||||
| [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence | [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence | |||
| Protocol (XMPP): Core", RFC 3920, October 2004. | Protocol (XMPP): Core", RFC 3920, October 2004. | |||
| [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and | [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and | |||
| Security Layer (SASL)", RFC 4422, June 2006. | Security Layer (SASL)", RFC 4422, June 2006. | |||
| [RFC5386] Williams, N. and M. Richardson, "Better-Than-Nothing | [RFC5386] Williams, N. and M. Richardson, "Better-Than-Nothing | |||
| Security: An Unauthenticated Mode of IPsec", RFC 5386, | Security: An Unauthenticated Mode of IPsec", RFC 5386, | |||
| November 2008. | November 2008. | |||
| skipping to change at page 7, line 40 ¶ | skipping to change at page 7, line 30 ¶ | |||
| Dialback", XSF XEP 0220, September 2013. | Dialback", XSF XEP 0220, September 2013. | |||
| Appendix A. Implementation Notes | Appendix A. Implementation Notes | |||
| Some governments enforce legislation prohibiting the export of strong | Some governments enforce legislation prohibiting the export of strong | |||
| cryptographic technologies. Nothing in this document ought to be | cryptographic technologies. Nothing in this document ought to be | |||
| taken as advice to violate such prohibitions. | taken as advice to violate such prohibitions. | |||
| Appendix B. Acknowledgements | Appendix B. Acknowledgements | |||
| Thanks to the following individuals for their input: Dave Cridland, | The authors would like to thank the following individuals for their | |||
| Philipp Hancke, Olle Johansson, Steve Kille, Tobias Markmann, Matt | input: Dave Cridland, Philipp Hancke, Olle Johansson, Steve Kille, | |||
| Miller, and Rene Treffer. | Tobias Markmann, Matt Miller, and Rene Treffer. | |||
| Authors' Addresses | Authors' Addresses | |||
| Peter Saint-Andre | Peter Saint-Andre | |||
| &yet | &yet | |||
| P.O. Box 787 | ||||
| Parker, CO 80134 | ||||
| USA | ||||
| Email: peter@andyet.net | Email: peter@andyet.com | |||
| URI: https://andyet.com/ | ||||
| Thijs Alkemade | Thijs Alkemade | |||
| Email: me@thijsalkema.de | Email: me@thijsalkema.de | |||
| End of changes. 22 change blocks. | ||||
| 74 lines changed or deleted | 71 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||