| < draft-saintandre-xmpp-tls-05.txt | draft-saintandre-xmpp-tls-06.txt > | |||
|---|---|---|---|---|
| Network Working Group P. Saint-Andre | Network Working Group P. Saint-Andre | |||
| Internet-Draft &yet | Internet-Draft &yet | |||
| Updates: 6120 (if approved) T. Alkemade | Updates: 6120 (if approved) T. Alkemade | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: August 17, 2014 February 13, 2014 | Expires: September 5, 2014 March 4, 2014 | |||
| Use of Transport Layer Security (TLS) in the Extensible Messaging and | Use of Transport Layer Security (TLS) in the Extensible Messaging and | |||
| Presence Protocol (XMPP) | Presence Protocol (XMPP) | |||
| draft-saintandre-xmpp-tls-05 | draft-saintandre-xmpp-tls-06 | |||
| Abstract | Abstract | |||
| This document provides recommendations for the use of Transport Layer | This document provides recommendations for the use of Transport Layer | |||
| Security (TLS) in the Extensible Messaging and Presence Protocol | Security (TLS) in the Extensible Messaging and Presence Protocol | |||
| (XMPP). This document updates RFC 6120. | (XMPP). This document updates RFC 6120. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 17, 2014. | This Internet-Draft will expire on September 5, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Discussion Venue . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Discussion Venue . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3 | 4. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.1. Support for TLS . . . . . . . . . . . . . . . . . . . . . 3 | 4.1. Support for TLS . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.2. Protocol Versions . . . . . . . . . . . . . . . . . . . . 3 | 4.2. Protocol Versions . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 3 | 4.3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.4. Public Key Length . . . . . . . . . . . . . . . . . . . . 3 | 4.4. Public Key Length . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.5. Certificate Validation . . . . . . . . . . . . . . . . . 3 | 4.5. Compression . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.6. Unauthenticated Connections . . . . . . . . . . . . . . . 4 | 4.6. Session Resumption . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.7. Server Name Indication . . . . . . . . . . . . . . . . . 4 | 4.7. Authenticated Connections . . . . . . . . . . . . . . . . 4 | |||
| 4.8. Session Resumption . . . . . . . . . . . . . . . . . . . 4 | 4.8. Unauthenticated Connections . . . . . . . . . . . . . . . 4 | |||
| 4.9. Compression . . . . . . . . . . . . . . . . . . . . . . . 4 | 4.9. Server Name Indication . . . . . . . . . . . . . . . . . 4 | |||
| 4.10. Human Factors . . . . . . . . . . . . . . . . . . . . . . 5 | 4.10. Human Factors . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Implementation Notes . . . . . . . . . . . . . . . . . . . . 5 | 5. Implementation Notes . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 6 | 8.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| 8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 8 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| skipping to change at page 3, line 34 ¶ | skipping to change at page 3, line 34 ¶ | |||
| supports TLS), the initiating entity MUST NOT proceed with the stream | supports TLS), the initiating entity MUST NOT proceed with the stream | |||
| negotiation and MUST instead abort the connection attempt. Although | negotiation and MUST instead abort the connection attempt. Although | |||
| XMPP servers SHOULD include the <required/> child element to indicate | XMPP servers SHOULD include the <required/> child element to indicate | |||
| that negotiation of TLS is mandatory, clients and peer servers MUST | that negotiation of TLS is mandatory, clients and peer servers MUST | |||
| NOT depend on receiving the <required/> flag in determining whether | NOT depend on receiving the <required/> flag in determining whether | |||
| TLS will be enforced for the stream. | TLS will be enforced for the stream. | |||
| 4.2. Protocol Versions | 4.2. Protocol Versions | |||
| Implementations MUST follow the recommendations in | Implementations MUST follow the recommendations in | |||
| [I-D.sheffer-tls-bcp]. | [I-D.sheffer-tls-bcp] as to supporting various TLS versions and | |||
| avoiding fallback to SSL. | ||||
| 4.3. Cipher Suites | 4.3. Cipher Suites | |||
| Implementations MUST follow the recommendations in | Implementations MUST follow the recommendations in | |||
| [I-D.sheffer-tls-bcp]. | [I-D.sheffer-tls-bcp]. | |||
| 4.4. Public Key Length | 4.4. Public Key Length | |||
| Implementations MUST follow the recommendations in | Implementations MUST follow the recommendations in | |||
| [I-D.sheffer-tls-bcp]. | [I-D.sheffer-tls-bcp]. | |||
| 4.5. Certificate Validation | 4.5. Compression | |||
| Implementations MUST follow the recommendations in | ||||
| [I-D.sheffer-tls-bcp]. | ||||
| XMPP supports an application-layer compression technology [XEP-0138], | ||||
| which might have slightly stronger security properties than TLS (at | ||||
| least because it is enabled after SASL authentication, as described | ||||
| in [XEP-0170]). | ||||
| 4.6. Session Resumption | ||||
| Implementations MUST follow the recommendations in | ||||
| [I-D.sheffer-tls-bcp]. | ||||
| Use of session IDs [RFC5246] is RECOMMENDED instead of session | ||||
| tickets [RFC5077], since XMPP does not in general use state | ||||
| management technologies such as tickets or "cookies" [RFC6265]. | ||||
| Note that, in XMPP, TLS session resumption can be used in concert | ||||
| with the XMPP Stream Management extension; see [XEP-0198] for further | ||||
| details. | ||||
| 4.7. Authenticated Connections | ||||
| Both the core XMPP specification [RFC6120] and the "CertID" | Both the core XMPP specification [RFC6120] and the "CertID" | |||
| specification [RFC6125] provide recommendations and requirements for | specification [RFC6125] provide recommendations and requirements for | |||
| certificate checking. This document does not supersede those | certificate validation in the context of authenticated connections. | |||
| specifications. | This document does not supersede those specifications. Wherever | |||
| possible, it is best to prefer authenticated connections (along with | ||||
| SASL [RFC4422]), as already stated in the core XMPP specification | ||||
| [RFC6120]. In particular, clients MUST authenticate servers. | ||||
| 4.6. Unauthenticated Connections | 4.8. Unauthenticated Connections | |||
| The core XMPP specification [RFC6120] states a preference for the use | Given the pervasiveness of passive eavesdropping, even an | |||
| of TLS for encryption along with SASL [RFC4422] for authentication. | unauthenticated connection might be better than an unencrypted | |||
| In general, it is preferable for a connection to be authenticated, | connection (this is similar to the "better than nothing security" | |||
| including proper identity checking as defined by the "CertID" | approach for IPsec [RFC5386]). In particular, because of current | |||
| specification [RFC6125]. However, given the pervasiveness of passive | deployment challenges for authenticated connections between XMPP | |||
| eavesdropping, even an unauthenticated connection might be better | servers (see [I-D.ietf-xmpp-dna] for details), it might be reasonable | |||
| than an unencrypted connection (this is similar to the "better than | for XMPP server implementations to accept unauthenticated connections | |||
| nothing security" approach for IPsec [RFC5386]). In particular, | when the Server Dialback protocol [XEP-0220] is used for weak | |||
| given current deployment challenges for authenticated connections | identity verification; this will at least enable encryption of | |||
| between XMPP servers (see [I-D.ietf-xmpp-dna] for details), it might | server-to-server connections. Unauthenticated connections include | |||
| be reasonable for XMPP server implementations to accept | connections negotiated using anonymous Diffie-Hellman algorithms or | |||
| unauthenticated connections when the Server Dialback protocol | using self-signed certificates, among other scenarios. | |||
| [XEP-0220] is used for weak identity verification; this will at least | ||||
| enable encryption of server-to-server connections. Unauthenticated | ||||
| connections include connections negotiated using anonymous Diffie- | ||||
| Hellman algorithms or using self-signed certificates, among other | ||||
| scenarios. | ||||
| 4.7. Server Name Indication | 4.9. Server Name Indication | |||
| Although there is no harm in supporting the TLS Server Name | Although there is no harm in supporting the TLS Server Name | |||
| Indication (SNI) extension [RFC6066], this is not necessary since the | Indication (SNI) extension [RFC6066], this is not necessary since the | |||
| same function is served in XMPP by the 'to' address of the initial | same function is served in XMPP by the 'to' address of the initial | |||
| stream header as explained in Section 4.7.2 of [RFC6120]. | stream header as explained in Section 4.7.2 of [RFC6120]. | |||
| 4.8. Session Resumption | ||||
| If TLS session resumption is used (e.g., in concert with the XMPP | ||||
| Stream Management extension [XEP-0198]), care ought to be taken to do | ||||
| so safely. In particular, the resumption information (either session | ||||
| IDs [RFC5246] or session tickets [RFC5077]) needs to be authenticated | ||||
| and encrypted to prevent modification or eavesdropping by an | ||||
| attacker. | ||||
| Use of session IDs [RFC5246] is RECOMMENDED instead of session | ||||
| tickets [RFC5077], since XMPP does not in general use state | ||||
| management technologies such as tickets or "cookies" [RFC6265]. | ||||
| 4.9. Compression | ||||
| XMPP is not generally subject to attacks based on TLS-layer | ||||
| compression (e.g., the "CRIME" attack), since it is not typically | ||||
| used to communicate static strings of the kind communicated over | ||||
| HTTP, such as "cookies" [RFC6265]. However, because XMPP also | ||||
| supports an application-layer compression technology [XEP-0138], | ||||
| implementers might wish to prefer XMPP compression over TLS | ||||
| compression in order to avoid any potential security issues with TLS- | ||||
| layer compression. (See [I-D.sheffer-tls-bcp] for related | ||||
| discussion.) | ||||
| 4.10. Human Factors | 4.10. Human Factors | |||
| It is RECOMMENDED that XMPP clients provide ways for end users (and | It is RECOMMENDED that XMPP clients provide ways for end users (and | |||
| that XMPP servers provide ways for administators) to complete the | that XMPP servers provide ways for administators) to complete the | |||
| following tasks: | following tasks: | |||
| o Determine if a client-to-server or server-to-server connection is | o Determine if a client-to-server or server-to-server connection is | |||
| encrypted and authenticated. | encrypted and authenticated. | |||
| o Determine the version of TLS used for a client-to-server or | o Determine the version of TLS used for a client-to-server or | |||
| skipping to change at page 6, line 10 ¶ | skipping to change at page 6, line 9 ¶ | |||
| "metadata" that might leak. | "metadata" that might leak. | |||
| It is possible that XMPP servers themselves might be compromised. In | It is possible that XMPP servers themselves might be compromised. In | |||
| that case, per-hop encryption would not protect XMPP communications, | that case, per-hop encryption would not protect XMPP communications, | |||
| and even end-to-end encryption of (parts of) XMPP stanza payloads | and even end-to-end encryption of (parts of) XMPP stanza payloads | |||
| would leave addressing information and XMPP roster data in the clear. | would leave addressing information and XMPP roster data in the clear. | |||
| By the same token, it is possible that XMPP clients (or the end-user | By the same token, it is possible that XMPP clients (or the end-user | |||
| devices on which such clients are installed) could also be | devices on which such clients are installed) could also be | |||
| compromised, leaving users utterly at the mercy of an adversary. | compromised, leaving users utterly at the mercy of an adversary. | |||
| This document, along with actions currently being taken to improve | This document, along with actions currently being taken to strenthen | |||
| the security of the XMPP network, do not assume widespread compromise | the security of the XMPP network, do not assume widespread compromise | |||
| of XMPP servers and clients or their underlying operating systems or | of XMPP servers and clients or their underlying operating systems or | |||
| hardware. Thus it is assumed that ubiquitous use of per-hop TLS | hardware. Thus it is assumed that ubiquitous use of per-hop TLS | |||
| channel encryption and more significant deployment of end-to-end | channel encryption and more significant deployment of end-to-end | |||
| object encryption technologies will serve to protect XMPP | object encryption technologies will serve to protect XMPP | |||
| communications to a measurable degree, compared to the alternatives. | communications to a measurable degree, compared to the alternatives. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| skipping to change at page 7, line 35 ¶ | skipping to change at page 7, line 35 ¶ | |||
| [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | |||
| Extension Definitions", RFC 6066, January 2011. | Extension Definitions", RFC 6066, January 2011. | |||
| [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | |||
| April 2011. | April 2011. | |||
| [XEP-0138] | [XEP-0138] | |||
| Hildebrand, J. and P. Saint-Andre, "Stream Compression", | Hildebrand, J. and P. Saint-Andre, "Stream Compression", | |||
| XSF XEP 0138, May 2009. | XSF XEP 0138, May 2009. | |||
| [XEP-0170] | ||||
| Saint-Andre, P., "Recommended Order of Stream Feature | ||||
| Negotiation", XSF XEP 0170, January 2007. | ||||
| [XEP-0198] | [XEP-0198] | |||
| Karneges, J., Saint-Andre, P., Hildebrand, J., Forno, F., | Karneges, J., Saint-Andre, P., Hildebrand, J., Forno, F., | |||
| Cridland, D., and M. Wild, "Stream Management", XSF XEP | Cridland, D., and M. Wild, "Stream Management", XSF XEP | |||
| 0198, June 2011. | 0198, June 2011. | |||
| [XEP-0220] | [XEP-0220] | |||
| Miller, J., Saint-Andre, P., and P. Hancke, "Server | Miller, J., Saint-Andre, P., and P. Hancke, "Server | |||
| Dialback", XSF XEP 0220, September 2013. | Dialback", XSF XEP 0220, September 2013. | |||
| 8.3. URIs | 8.3. URIs | |||
| [1] https://www.ietf.org/mailman/listinfo/xmpp | [1] https://www.ietf.org/mailman/listinfo/xmpp | |||
| [2] https://www.ietf.org/mailman/listinfo/uta | [2] https://www.ietf.org/mailman/listinfo/uta | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| Thanks to the following individuals for their input: Thijs Alkemade, | Thanks to the following individuals for their input: Dave Cridland, | |||
| Dave Cridland, Philipp Hancke, Olle Johansson, Steve Kille, Tobias | Philipp Hancke, Olle Johansson, Steve Kille, Tobias Markmann, Matt | |||
| Markmann, Matt Miller, and Rene Treffer. | Miller, and Rene Treffer. | |||
| Authors' Addresses | Authors' Addresses | |||
| Peter Saint-Andre | Peter Saint-Andre | |||
| &yet | &yet | |||
| Email: ietf@stpeter.im | Email: ietf@stpeter.im | |||
| Thijs Alkemade | Thijs Alkemade | |||
| End of changes. 14 change blocks. | ||||
| 60 lines changed or deleted | 61 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||