| < draft-ietf-uta-xmpp-03.txt | draft-ietf-uta-xmpp-04.txt > | |||
|---|---|---|---|---|
| Network Working Group P. Saint-Andre | Network Working Group P. Saint-Andre | |||
| Internet-Draft &yet | Internet-Draft &yet | |||
| Updates: 6120 (if approved) T. Alkemade | Updates: 6120 (if approved) T. Alkemade | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: May 15, 2015 November 11, 2014 | Expires: May 30, 2015 November 26, 2014 | |||
| Use of Transport Layer Security (TLS) in the Extensible Messaging and | Use of Transport Layer Security (TLS) in the Extensible Messaging and | |||
| Presence Protocol (XMPP) | Presence Protocol (XMPP) | |||
| draft-ietf-uta-xmpp-03 | draft-ietf-uta-xmpp-04 | |||
| Abstract | Abstract | |||
| This document provides recommendations for the use of Transport Layer | This document provides recommendations for the use of Transport Layer | |||
| Security (TLS) in the Extensible Messaging and Presence Protocol | Security (TLS) in the Extensible Messaging and Presence Protocol | |||
| (XMPP). This document updates RFC 6120. | (XMPP). This document updates RFC 6120. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 15, 2015. | This Internet-Draft will expire on May 30, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 17 ¶ | skipping to change at page 2, line 17 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Support for TLS . . . . . . . . . . . . . . . . . . . . . 3 | 3.1. Support for TLS . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.2. Compression . . . . . . . . . . . . . . . . . . . . . . . 3 | 3.2. Compression . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.3. Session Resumption . . . . . . . . . . . . . . . . . . . 3 | 3.3. Session Resumption . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.4. Authenticated Connections . . . . . . . . . . . . . . . . 3 | 3.4. Authenticated Connections . . . . . . . . . . . . . . . . 3 | |||
| 3.5. Unauthenticated Connections . . . . . . . . . . . . . . . 4 | 3.5. Unauthenticated Connections . . . . . . . . . . . . . . . 4 | |||
| 3.6. Server Name Indication . . . . . . . . . . . . . . . . . 4 | 3.6. Server Name Indication . . . . . . . . . . . . . . . . . 4 | |||
| 3.7. Human Factors . . . . . . . . . . . . . . . . . . . . . . 4 | 3.7. Human Factors . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Appendix A. Implementation Notes . . . . . . . . . . . . . . . . 7 | Appendix A. Implementation Notes . . . . . . . . . . . . . . . . 7 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 7 | Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| skipping to change at page 3, line 37 ¶ | skipping to change at page 3, line 37 ¶ | |||
| 3.2. Compression | 3.2. Compression | |||
| XMPP supports an application-layer compression technology [XEP-0138]. | XMPP supports an application-layer compression technology [XEP-0138]. | |||
| Although this XMPP extension might have slightly stronger security | Although this XMPP extension might have slightly stronger security | |||
| properties than TLS-layer compression (since it is enabled after SASL | properties than TLS-layer compression (since it is enabled after SASL | |||
| authentication, as described in [XEP-0170]), this document neither | authentication, as described in [XEP-0170]), this document neither | |||
| encourages nor discourages use of XMPP-layer compression. | encourages nor discourages use of XMPP-layer compression. | |||
| 3.3. Session Resumption | 3.3. Session Resumption | |||
| Use of session IDs [RFC5246] is RECOMMENDED instead of session | ||||
| tickets [RFC5077], since XMPP does not in general use state | ||||
| management technologies such as tickets or "cookies" [RFC6265]. | ||||
| In XMPP, TLS session resumption can be used in concert with the XMPP | In XMPP, TLS session resumption can be used in concert with the XMPP | |||
| Stream Management extension; see [XEP-0198] for further details. | Stream Management extension; see [XEP-0198] for further details. | |||
| 3.4. Authenticated Connections | 3.4. Authenticated Connections | |||
| Both the core XMPP specification [RFC6120] and the "CertID" | Both the core XMPP specification [RFC6120] and the "CertID" | |||
| specification [RFC6125] provide recommendations and requirements for | specification [RFC6125] provide recommendations and requirements for | |||
| certificate validation in the context of authenticated connections. | certificate validation in the context of authenticated connections. | |||
| This document does not supersede those specifications. Wherever | This document does not supersede those specifications. Wherever | |||
| possible, it is best to prefer authenticated connections (along with | possible, it is best to prefer authenticated connections (along with | |||
| SASL [RFC4422]), as already stated in the core XMPP specification | SASL [RFC4422]), as already stated in the core XMPP specification | |||
| [RFC6120]. In particular, clients MUST authenticate servers. | [RFC6120]. In particular, clients MUST authenticate servers. | |||
| Because this document does not mandate that servers need to | ||||
| authenticate peer servers, unauthenticated server-to-server | ||||
| connections are allowed (consistent with current practice on the XMPP | ||||
| network). | ||||
| This document does not modify the recommendations in [RFC6120] | ||||
| regarding the Subject Alternative Names (or other certificate | ||||
| details) that need to be supported for authentication of XMPP | ||||
| connections. | ||||
| 3.5. Unauthenticated Connections | 3.5. Unauthenticated Connections | |||
| Given the pervasiveness of passive eavesdropping, even an | Given the pervasiveness of passive eavesdropping, even an | |||
| unauthenticated connection might be better than an unencrypted | unauthenticated connection might be better than an unencrypted | |||
| connection (this is similar to the "better than nothing security" | connection (this is similar to the "better than nothing security" | |||
| approach for IPsec [RFC5386]). In particular, because of current | approach for IPsec [RFC5386]). In particular, because of current | |||
| deployment challenges for authenticated connections between XMPP | deployment challenges for authenticated connections between XMPP | |||
| servers (see [I-D.ietf-xmpp-dna] and [I-D.ietf-xmpp-posh] for | servers (see [I-D.ietf-xmpp-dna] and [I-D.ietf-xmpp-posh] for | |||
| details), it might be reasonable for XMPP server implementations to | details), it can be reasonable for XMPP server implementations to | |||
| accept unauthenticated connections when the Server Dialback protocol | accept unauthenticated connections when the Server Dialback protocol | |||
| [XEP-0220] is used for weak identity verification; this will at least | [XEP-0220] is used for weak identity verification; this will at least | |||
| enable encryption of server-to-server connections. Unauthenticated | enable encryption of server-to-server connections. Unauthenticated | |||
| connections include connections negotiated using anonymous Diffie- | connections include connections negotiated using anonymous Diffie- | |||
| Hellman algorithms or using self-signed certificates, among other | Hellman algorithms or using self-signed certificates, among other | |||
| scenarios. | scenarios. | |||
| 3.6. Server Name Indication | 3.6. Server Name Indication | |||
| Although there is no harm in supporting the TLS Server Name | Although there is no harm in supporting the TLS Server Name | |||
| skipping to change at page 5, line 48 ¶ | skipping to change at page 6, line 5 ¶ | |||
| Sheffer, Y., Holz, R., and P. Saint-Andre, | Sheffer, Y., Holz, R., and P. Saint-Andre, | |||
| "Recommendations for Secure Use of TLS and DTLS", draft- | "Recommendations for Secure Use of TLS and DTLS", draft- | |||
| ietf-uta-tls-bcp-07 (work in progress), November 2014. | ietf-uta-tls-bcp-07 (work in progress), November 2014. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC | |||
| 4949, August 2007. | 4949, August 2007. | |||
| [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, | ||||
| "Transport Layer Security (TLS) Session Resumption without | ||||
| Server-Side State", RFC 5077, January 2008. | ||||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence | [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence | |||
| Protocol (XMPP): Core", RFC 6120, March 2011. | Protocol (XMPP): Core", RFC 6120, March 2011. | |||
| [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | |||
| Verification of Domain-Based Application Service Identity | Verification of Domain-Based Application Service Identity | |||
| within Internet Public Key Infrastructure Using X.509 | within Internet Public Key Infrastructure Using X.509 | |||
| (PKIX) Certificates in the Context of Transport Layer | (PKIX) Certificates in the Context of Transport Layer | |||
| skipping to change at page 6, line 48 ¶ | skipping to change at page 6, line 48 ¶ | |||
| [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and | [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and | |||
| Security Layer (SASL)", RFC 4422, June 2006. | Security Layer (SASL)", RFC 4422, June 2006. | |||
| [RFC5386] Williams, N. and M. Richardson, "Better-Than-Nothing | [RFC5386] Williams, N. and M. Richardson, "Better-Than-Nothing | |||
| Security: An Unauthenticated Mode of IPsec", RFC 5386, | Security: An Unauthenticated Mode of IPsec", RFC 5386, | |||
| November 2008. | November 2008. | |||
| [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | |||
| Extension Definitions", RFC 6066, January 2011. | Extension Definitions", RFC 6066, January 2011. | |||
| [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | ||||
| April 2011. | ||||
| [XEP-0138] | [XEP-0138] | |||
| Hildebrand, J. and P. Saint-Andre, "Stream Compression", | Hildebrand, J. and P. Saint-Andre, "Stream Compression", | |||
| XSF XEP 0138, May 2009. | XSF XEP 0138, May 2009. | |||
| [XEP-0170] | [XEP-0170] | |||
| Saint-Andre, P., "Recommended Order of Stream Feature | Saint-Andre, P., "Recommended Order of Stream Feature | |||
| Negotiation", XSF XEP 0170, January 2007. | Negotiation", XSF XEP 0170, January 2007. | |||
| [XEP-0198] | [XEP-0198] | |||
| Karneges, J., Saint-Andre, P., Hildebrand, J., Forno, F., | Karneges, J., Saint-Andre, P., Hildebrand, J., Forno, F., | |||
| End of changes. 9 change blocks. | ||||
| 16 lines changed or deleted | 14 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||