Last Call Review of draft-ietf-xmpp-3920bis-

Request Review of draft-ietf-xmpp-3920bis
Requested rev. no specific revision (document currently at 22)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-10-21
Requested 2010-10-10
Authors Peter Saint-Andre
Draft last updated 2010-10-29
Completed reviews Secdir Last Call review of -?? by Richard Barnes
Secdir Last Call review of -?? by Yaron Sheffer
Assignment Reviewer Yaron Sheffer
State Completed
Review review-ietf-xmpp-3920bis-secdir-lc-sheffer-2010-10-29
Review completed: 2010-10-29


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other last call comments.

The document updates RFC 3920, which is the definition of the core XMPP 

real-time messaging protocol. It should be noted the instant messaging 

and presence are layered on top of this protocol, and specified separately.


The document is initially intimidating, because of its length. But it is 

extremely well written (for which I would like to thank the editor) and 

well organized. So overall, a good read.

I have not found anything that I consider a glaring security hole. But 

this is a layered security architecture (application layer == XMPP core 

== SASL == TLS) which is not easy to do right. Hence the large number of 

comments and questions below.

I also appreciate the open discussion of the existing implementations 

and their security issues (e.g. "server dialback", shiver). I hope this 

document results in a security improvement in real deployments.

Detailed Comments

Note: these comments are based on rev -17 of the draft. This only 

matters as far as section numbers, with the only security-relevant 

change in -18 being a useful note on end-to-end protection.

- 1.3: Implementation note: I suggest adding something like "Solutions 

specified in this document offer a significantly better level of security."

- 3.3: why do we not recommend to use TLS (stateless) session resumption 

for reconnection?

- 4.2.5 the access control rule at the bottom of this section makes 

sense. Why why does it explicitly not apply to elements other than XML 

stanzas? Are there cases where you negotiate TLS with someone other than 

the server? You can even imagine weird tunneling attacks using this 


- 4.2.5: "other than itself" - am I really allowed to send "message" 

stanzas from one resource of a JID to another resource of the same JID, 

before feature negotiation and before TLS negotiation?

- 4.2.6: why do we even allow non-SASL protected server-to-server 


- 4.3: How is TLS negotiated for the additional streams? How is it bound 

to the SASL negotiation that (apparently) only takes place once?

- 4.4: this section appears to tie the two streams in the opposite 

directions together - when you close one you expect the other guy to 

close the other ASAP. But what is the behavior for "multiple streams 

over multiple connections" (Sec. 4.3)?

- 4.4: what about orderly tear-down of the TLS association ("closure 


- does not-authorized only refer to stream-level, rather than 

stanza-level errors? Are there cases when I am authorized to send some 

stanza types but not others?

- remote-connection-failed has dubious security benefit (why 

tell the world that your RADIUS server is down), compared to reusing 


- shouldn't we say that "reset" (when the stream is encrypted) 

also applies to the higher layers, i.e. encryption and authentication 

should be performed again?

- what are the security implications of a "redirect"? Should 

the client apply the same policy, e.g. for using TLS, as for the 

original server? Which "to" identity to use? Can redirection occur 

before the recipient is even authenticated?

- 4.9: Don't we resend the "stream" header again after completing the 

TLS negotiation (Sec. 4.2.3).

- 5.3.5: the text mentions that client certificates are "sufficiently 

rare", which is a pity because they do make sense for server-to-server 

interaction. So I suggest to promote renegotiation from OPTIONAL to 


- 5.3.6: extensions may be out of scope. But I think we need to include 

a few words re: the TLS version, at least to prohibit SSL 3.0.

- 5.4.1: don't you have to declare version >= 1.0 if you simply support 

this draft? Same question in 6.4.1.

- why is the initiator required to present a certificate "So 

that mutual authentication will be possible"? There are many other ways 

of ensuring mutual auth. I suggest to reword as "mutual certificate 


- Global replace TLS "cipher" -> "ciphersuite".

-, bullet 5: actually, based on the "from" attribute that the 

receiving entity has just sent.

- where do we say that both sides must validate the "to" and 

"from" identities in view of the identities presented at the TLS layer 

(if any)?

- 6.3.2: do you restart the stream twice, once after TLS and once after 


- 6.3.3: shouldn't we simply "MUST NOT" the PLAIN mechanism?

- 6.3.7: and what is the identity used for server-to-server auth? Also, 

it is very uncommon to consider the password as part of the identity.

- 6.4.4: isn't it inconsistent that SASL aborts are converted into XMPP 

failures, but TLS failures are not?

- the preferred option #1, while reasonable in itself, does not 

allow the client to determine its own policy (whether it wants multiple 

sessions from multiple devices or not).

- any validated domain -> any validated subdomain.

- 8.3.1, rule #2: if the error is a result of something gone bad with 

the addresses, then simply swapping "to" and "from" may not be 

appropriate, and may even be a security issue.

- Same, rule #6, the recipient MUST NOT include the original XML if it's 

not well formed, right?

- 8.3.2: MUST NOT... be presented to the human user - this is impossible 

to enforce, and most likely will not be followed. Moreover, there's a 

reason why we include a language tag. I suggest to tone it down a bit.

- what are "improper credentials"? It sounds like we are not 

differentiating the conditions of authentication failure vs. 

authorization failure.

- the "security note" doesn't makes sense to me - no matter 

what error code is returned, the sender has gained information that we 

don't want to provide. The note should say something along the lines of: 

such services must not be available to entities that cannot be trusted 

with knowing the status of an arbitrary recipient. See also

- Are there no security implications to redirection at the 

stanza level?

- The "wait" error type might not be appropriate for some 

situations, e.g. authentication issues.

- do you explain anywhere what is the difference between 

"prior registration" and "prior subscription"?

- 9.1.1, step 7: this is utterly trivial, but please mention that the 

new "stream" element is sent over TLS.

- 9.1.5: as I noted in Sec. 4.4, the TLS connection needs to be closed 

as well.

- 10.2: "try many different resources", I suppose it is typically fewer 

than 10 per JID, which does not make the attack uninteresting.

- 10.4.2: if the protocol supports routing, shouldn't we mention that 

there are cases where the IQ stanza will be forwarded to another server, 

not the one mentioned in the "To" header? And what about loop prevention?

- this is a strange rule. Does it mean that if I'm using a 

desktop (/desktop) and a mobile (/mobile), and I'm connected to the 

desktop, I cannot have messages targeted at my mobile be deferred (and 

stored somewhere) until I connect from that device?

- 13.4: "for the ensuring" -> "for ensuring" (or: to ensure).

- 13.4: the security note is confusing, because it is unclear whether it 

has any normative status. Otherwise, it is almost trivial: of course you 

can provide these guarantees by different means.

- 13.4: the cipher suites are not just "nun-null". They MUST provide 

both confidentiality and integrity.

- 13.6: the out-of-band trust chain rule may be practical for 

server-to-server connections, but probably not for large client 

deployments and when certificates are sometimes rolled over.

- 13.7: terminology: "mutual authentication" describes authentication 

with client certs, just as much as it describes the server presenting a 

cert and the client authenticating with SASL. This also applies to 5.4.3.

- The word "issuer" is ambiguous. It usually refers to a 

person/organization, but here you use it to refer to the certificate 

itself. How about replacing the heading of the second list by: "the 

following rules apply to issuer certificates, used to sign XMPP 

end-entity certificates"?

- it's strange to specify the hash algorithm, but not the 

signature algorithm (RSA-512 anyone?)

- what are "access certificates"? Neither 5280 nor Google can 

help... And how can an issuer cert NOT be marked with the CA bit?

- and most important, is the "relying party" (e.g. the client) 

required to check all these rules and fail validation if any of them is 

not met?

- enabling entity -> enabling entities.
- "conjuction" misspelled.

- 13.7.2: "An implementation MUST enable a human user to view 

information about the certification path." I'm afraid this is security 

theater, because 99.5% of your target population cannot understand this 


- "MUST either validate" - incomplete sentence (and 

actually, at a sensitive point in the text).

-, subcase #3: please mention that some servers will simply 

fail validation at this point, subject to their policy. I.e., some might 

insist on correct client certs.

- "periodically query OCSP" - is there any guidance about the 

period? Is a recommended period specified in the cert or communicated by 

the OCSP responder?

- 13.7.2: a silly question, but anyway: where do you say that the 

client's cert is correlated with the client's JID, as it appears in the 

From line (when setting up the original stream and/or when setting the 

stream anew after TLS negotiation)? And vice versa, for the server cert 

and the client's To header.

- 13.8: I suggest to add (here or elsewhere): "All password-based 

mechanisms are susceptible to password guessing attacks, and therefore 

the authenticator MUST implement common rate-limiting mitigations."

- 13.8: "For both confidentiality and authentication with passwords" - 

here you don't specify a TLS ciphersuite.

- 13.8: the note kind of implies that PLAIN is preferable to DIGEST-MD5, 

which is clearly not the case.

- 13.9.4: why is SASL-PLAIN singled out here? Other mechanisms are 

susceptible to off-line password guessing when used without TLS 

confidentiality, which is not a trivial attack but still a significant risk.

- 13.11: all three examples of "service unavailable" can be ruled out on 

an operational server. Are there no better examples?

- 15: The sasl-whitespace "feature" is not really a feature, because 

you'd fail any interoperability if you send whitespace during the SASL 

phase, right? Similarly tls-whitespace.

- 15: if we insist on PLAIN, I would expect a security-mti-auth-order 

feature, where the proposals are ordered right (i.e. with PLAIN at the end).

- 15: why is confidentiality-only a MUST? Is it widely deployed? Is it 

required for backward compatibility? By the way, please expand the 

acronym MTI somewhere.

- 15: and hey, there's no feature defined for TLS+SCRAM+? Isn't this the 

one we want/expect to be deployed?

- 15: stanza-* features - if you have an XML schema, can't you just say 

that conformance to the schema is REQUIRED and eliminate all this stuff? 

Given that these are MUSTs, not SHOULDs, a formal specification is so 

much easier to validate. This does *not* contradict the fact that 

runtime validation is optional.

- 15: I would expect one or a few features around validation of 

identities at the various layers, since we're spending much of the 

document on this issue. "tls-certs" is an important piece of that, but 

not the whole thing.