XEP-xxxx: XMPP Transport Layer Security

Copyright (c) 1999 - 2009 XMPP Standards Foundation. See Legal Notices.


This document specifies the XMPP Transport Layer Security (XTLS) protocol. XTLS, which provides communications privacy for the Extensible Messaging and Presence Protocol (XMPP), enables XMPP applications to communicate in a way that is designed to prevent eavesdropping, tampering, and forgery of XML stanzas. XTLS is based on Transport Layer Security (TLS) and integrated as security layer into Jingle. The protocol can be used for secure end-to-end messages as well as any other Jingle application like file file transfer.

WARNING: This document has not yet been accepted for consideration or approved in any official manner by the XMPP Standards Foundation, and this document must not be referred to as an XMPP Extension Protocol (XEP). If this document is accepted as a XEP by the XMPP Council, it will be published at <http://www.xmpp.org/extensions/> and announced on the <standards@xmpp.org> mailing list.


Table of Contents


1. Introduction
2. Requirements
3. Approach
4. Basic Protocol
5. Bootstrapping Trust on First Communication
    5.1. Exchanging Certificates
    5.2. Verification of Non-Human Parties
6. Determining Support
7. Security Considerations
    7.1. Mandatory-to-Implement Technologies
    7.2. Certificates
    7.3. Denial of Service
8. IANA Considerations
9. XMPP Registrar Considerations
    9.1. Protocol Namespaces
    9.2. Protocol Versioning
    9.3. XTLS Methods Registry
       9.3.1. Process
       9.3.2. Registration
10. XML Schema

Appendices
    A: Document Information
    B: Author Information
    C: Legal Notices
    D: Relation to XMPP
    E: Discussion Venue
    F: Requirements Conformance
    G: Notes
    H: Revision History


1. Introduction

End-to-end encryption of traffic sent over the Extensible Messaging and Presence Protocol (XMPP) is a desirable goal. The Jabber/XMPP developer community has experimented with several such technologies, including OpenPGP (Current Jabber OpenPGP Usage [1]), S/MIME (RFC 3923 [2]), and encrypted sessions or "ESessions" (Bootstrapping Implementation of Encrypted Sessions [3]). For various reasons, these technologies have not been widely implemented and deployed. When the XMPP Standards Foundation (XSF) [4] asked various Internet security experts to complete a security review of encrypted sessions, it was recommended to explore the possibility of instead using the Transport Layer Security (TLS; see RFC 4346 [5]) as the base technology for XMPP. That possibility is explored in this document.

TLS is the most widely implemented protocol for securing network traffic. In addition to applications in the email infrastructure, the World Wide Web (HTTP Over TLS; see RFC 2818 [6]), and datagram transport for multimedia session negotiation (DTLS; see RFC 4347 [7]), TLS is used in XMPP to secure TCP connections from client to server and from server to server, as specified in XMPP Core [8]. Therefore TLS is already familiar to XMPP developers.

This specification, called "XTLS", defines a method whereby any Jingle [9] application can use TLS semantics for end-to-end encryption, whether the application data is sent over a streaming transport (like TCP) or a datagram transport (like UDP). The most common use case is to tunnel XMPP stanzas between two clients for end-to-end secure chat with Jingle XML Streams [10]. However, XTLS is not limited to client-to-client encryption, since it can be used between two XMPP clients, between an XMPP client and a remote XMPP service (i.e., a service with which a client does not have a direct XML stream, such as a Multi-User Chat [11] chatroom), or between two remote XMPP services. Furthermore, XTLS can be used for encrypted file transfer (see Jingle File Transfer [12]), for encrypted voice or video sessions using Jingle RTP Sessions [13] and DTLS-SRTP [14], and other applications.

Note: This specification is a work in progress and does not yet define all uses of XTLS.

2. Requirements

This specification is intended to meet the requirements defined in Requirements for Encrypted Sessions [15] using building blocks that are already widely supported in XMPP clients, such as TLS, Jingle, and In-Band Bytestreams [16]. It is possible that some of those requirements can be met only with particular TLS cipher suites, or cannot be met at all without defining extensions to TLS itself. A full gap analysis has not yet been completed.

3. Approach

In broad outline, XTLS takes the following approach to end-to-end encryption of XMPP traffic:

  1. We assume that all XMPP entities will have X.509 certificates, typically self-signed and automatically generated by an XMPP client (although CA-issued certificates are acceptable).

  2. We use the XMPP Jingle extensions as the negotiation framework.

  3. We define a <security/> element that can be included in any Jingle negotiation, and a new "security-info" Jingle action for sending security-related information.

  4. When an entity wishes to encrypt its communications with a second entity, it sends a Jingle session-initiate request that specifies the desired application type (e.g., file transfer), a possible transport (e.g., SOCKS5 bytestreams), and security information such as the sender's X.509 fingerprint and supported TLS methods (e.g., secure remote password).

  5. If both parties support XTLS, the first data sent over the negotiated transport is TLS handshake data, not application data. Once the TLS handshake has finished, the parties can then send application data over the now-encrypted transport.

  6. The simplest scenario is end-to-end encryption of traditional XMPP text chat using end-to-end XML streams, in-band bytestreams, and previously-accepted X.509 certificates.

  7. On first use of end-to-end encryption between two entities, it is encouraged to use secure remote passwords rather than leap-of-faith to bootstrap the subsequent use of the client-generated X.509 certificates.

  8. More complex scenarios are theoretically supported (e.g., encrypted file transfer using SOCKS5 bytestreams and encrypted voice chat using DTLS-SRTP) but have not yet been fully defined.

  9. XTLS theoretically can be used to establish a TLS-encrypted streaming transport or a DTLS-encrypted datagram transport, but integration with DTLS (RFC 4347 [17]) has not yet been prototyped so use with streaming transports is the more stable scenario.

We expand on this approach in the following section.

4. Basic Protocol

The basic flow for an XTLS session is as follows, where traffic represented by single dashes (---) is sent over the XMPP signalling channel and traffic represented by double lines (===) is sent over the negotiated transport.

Initiator                   Responder
  |                            |
  |  session-initiate          |
  |  (with security info)      |
  |--------------------------->|
  |  ack                       |
  |<---------------------------|
  |  session-accept            |
  |<---------------------------|
  |  ack                       |
  |--------------------------->|
  |  open transport            |
  |<==========================>|
  |  TLS ClientHello           |
  |===========================>|
  |  TLS ServerHello, [...]    |
  |<===========================|
  |  TLS [...], Finished       |
  |===========================>|
  |  TLS [...], Finished       |
  |<===========================|
  |  application data          |
  |<==========================>|
  |  session-terminate         |
  |<---------------------------|
  |  ack                       |
  |--------------------------->|
  |                            |
  

To simplify the description we assume here that the parties already trust each other's certificates. See the next section for information about bootstrapping of certificate trust on the first communication.

First the initiator sends a Jingle session-initiate request (here the simple case of an end-to-end text chat session using the Jingle In-Band Bytestreams Transport Method [18]). This request includes a <security/> element that contains the fingerprint of the certificate that the initiator will use during the TLS negotiation.

Example 1. Initiator sends session-initiate

<iq from='romeo@montague.lit/orchard'
    id='xn28s7gk'
    to='juliet@capulet.lit/balcony'
    type='set'>
  <jingle xmlns='urn:xmpp:jingle:0'>
          action='session-initiate'
          initiator='romeo@montague.lit/orchard'
          sid='a73sjjvkla37jfea'>
    <content creator='initiator' name='xmlstream'>
      <description xmlns='urn:xmpp:jingle:apps:xmlstream:0'/>
      <transport xmlns='urn:xmpp:jingle:transports:ibb:0'
                 block-size='4096'
                 sid='ch3d9s71'/>
      <security xmlns='urn:xmpp:jingle:security:xtls:0'>
        <fingerprint>RomeoX509CertificateHash</fingerprint>
        <method name='x509'/>
        <method name='srp'/>
      </security>
    </content>
  </jingle>
</iq>
  

The responder immediately acknowledges receipt of the session-initiate.

Example 2. Responder acknowledges session-initiate

<iq from='juliet@capulet.com/balcony'
    id='xn28s7gk'
    to='romeo@montague.net/orchard'
    type='result'/>
    

Depending on the application type, a user agent controlled by a human user might need to wait for the user to affirm a desire to proceed with the session before continuing. When the user agent has received such affirmation (or if the user agent can automatically proceed for any reason, e.g. because no human intervention is expected or because a human user has configured the user agent to automatically accept sessions with a given entity), it returns a Jingle session-accept message. This message will typically contain the offered application type, transport method, and a <security/> element that includes the fingerprint of the responder's X.509 certificate as well as the responder's supported TLS methods.

Example 3. Responder accepts the session and agrees to use XTLS

<iq from='juliet@capulet.com/balcony'
    id='hf64hl'
    to='romeo@montague.net/orchard'
    type='set'>
  <jingle xmlns='urn:xmpp:jingle:0'>
          action='session-accept'
          initiator='romeo@montague.lit/orchard'
          sid='a73sjjvkla37jfea'>
    <content creator='initiator' name='xmlstream'>
      <description xmlns='urn:xmpp:jingle:apps:xmlstream:0'/>
      <transport xmlns='urn:xmpp:jingle:transports:ibb:0'
                 block-size='4096'
                 sid='ch3d9s71'/>
      <security xmlns='urn:xmpp:jingle:security:xtls:0'/>
        <fingerprint>JulietX509CertificateHash</fingerprint>
        <method name='x509'/>
        <method name='srp'/>
      </security>
    </content>
  </jingle>
</iq>
    

The following rules apply to the responder's handling of the session-initiate message:

  1. If the responder does not support Jingle-XTLS it will silently ignore the <security/> element in the offer and therefore will return a session-accept message without a <security/> element.

  2. If the responder supports Jingle-XTLS it SHOULD return a session-accept message that contains a <security/> element.

  3. If the responder thinks it will be able to verify the initiator's certificate, it MUST include the fingerprint for the responder's certificate in the <security/> element of the session-accept message. This is the "happy path" and will occur when the parties have already verified each other's certificates.

  4. If the responder thinks it will not be able to verify the initiator's certificate, it MAY omit the fingerprint for the responder's certificate in the <security/> element of the session-accept message. This indicates that certificate-based authentication is not possible. In this case the responder SHOULD signal that it wishes to use some other authentication method, such as secure remote passwords (see the next section).

  5. If the responding client cannot verify the initiator's certificate, it SHOULD ask the responding user if a password was exchanged between the parties that can be used for TLS-SRP. If this is not the case, setting up a mutually-authenticated link will fail and the responder MAY terminate the session. Alternatively it could send its own fingerprint knowing it cannot authenticate the initiator, in which case the responder has to trust that there is no man-in-the-middle (see next section).

When the responder sends the session-accept message, the initiator acknowledges receipt.

Example 4. Initiator acknowledges session-accept

<iq from='romeo@montague.net/orchard'
    id='hf64hl'
    to='juliet@capulet.com/balcony'
    type='result'/>
    

The following rules apply to the initiator's handling of the session-accept message:

  1. If the initiator receives a session-accept without a <security/> element, setting up a secure transport layer has failed. The initiator MAY terminate the session at this point or instead proceed without securing the transport. The client SHOULD ask the initiating user how to processed. This depends on the Jingle application and the initiator's preferences: it makes no sense to use end-to-end XML streams without encryption, but the initiator might continue a file transfer without encryption.

  2. If the initiating client cannot verify the responder's certificate it SHOULD ask the initiating user if a password was exchanged between the parties that can be used for TLS-SRP. If this is not the case, setting up a mutually-authenticated link will fail and the responder MAY terminate the session or proceed with leap-of-faith (see next section).

The initiator can now determine if X.509 certificate based authentication will work or if TLS-SRP will be used. It sends an additional security-info message to the responder to signal its choice. This step is not really necessary because the responder will see the initiator's choice in the first message of the TLS handshake, but it can help an implementation to set up its TLS library properly. Because in this section we assume that the parties already have validated each other's certificates, the security method signalled here is "x509".

Example 5. Initiator sends security-info

<iq from='romeo@montague.lit/orchard'
    id='hf749j'
    to='juliet@capulet.lit/balcony'
    type='set'>
  <jingle xmlns='urn:xmpp:jingle:0'>
          action='security-info'
          initiator='romeo@montague.lit/orchard'
          sid='a73sjjvkla37jfea'>
    <content creator='initiator' name='xmlstream'>
      <security xmlns='urn:xmpp:jingle:security:xtls:0'>
        <method name='x509'/>
      </security>
    </content>
  </jingle>
</iq>
    

The responder acknowledges receipt.

Example 6. Responder acknowledges security-info

<iq from='juliet@capulet.lit/balcony'
    id='hf749j'
    to='romeo@montague.lit/orchard'
    type='result'/>
    

Parallel to the security-info exchange the clients set up a transport for the Jingle session. This example uses Jingle In-Band Bytestreams Transport Method [19] which does not require any additional messages (other transport like Jingle SOCKS5 Bytestreams Transport Method [20] and Jingle ICE-UDP Transport Method [21]) need more time to set up). Each transport MUST define a specific time when both cients know that the transport is ready. When XTLS is not used, the Jingle implementation would signal to the using application that the transport is open when the session-accept is sent or received, or when connectivity checks determine media can flow over one of the transport candidates. When XTLS is used, the Jingle implementation starts a TLS handshake on the transport and signals to the using application that the transport is open only after the four-way TLS handshake is finished successfully.

During the TLS handshake, the responder MUST take the role of the TLS server and the initiator MUST take the role of the TLS client. During the handshake, the responder (acting as the TLS server) MUST send a CertificateRequest.

If either client cannot verify the certificate of the peer or receives an invalid message on the TLS layer, it shall terminate the Jingle session immediately, including a Jingle reason of <security-error/>.

Example 7. Initiator terminates the session

<iq from='romeo@montague.lit/orchard'
    id='hz81vf48'
    to='juliet@capulet.lit/balcony'
    type='set'>
  <jingle xmlns='urn:xmpp:jingle:0'
          action='session-terminate'
          initiator='romeo@montague.lit/orchard'
          sid='a73sjjvkla37jfea'>
    <reason><security-error/></reason>
  </jingle>
</iq>
    

The other party then acknowledges the session-terminate and the Jingle session is finished.

Example 8. Responder acknowledges session-terminate

<iq from='juliet@capulet.lit/balcony'
    id='hz81vf48'
    to='romeo@montague.lit/orchard'
    type='result'/>
    

If the TLS negotiation succeeds, then the Jingle implementation shall signal to the using application that the transport is open. The parties can then exchange application data over the encrypted transport.

5. Bootstrapping Trust on First Communication

When two parties first attempt to use XTLS, their certificates might not be accepted (e.g., because they are self-signed or issued by unknown certification authorities). Therefore each party needs to accept the other's certificate for use in future communication sessions. There are several ways to do so:

If the parties use a password or channel binding via SASL, the process needs to be completed only once. After the clients have authenticated with the shared secret, they can exchange their certificates for future communication.

5.1 Exchanging Certificates

To retrieve the certificate of the peer for future communications, a client SHOULD request the certificate according to XEP-0189 over the secure connection. This only works if XTLS was used to set up an end-to-end secure XML stream defined in XEP-0247; exchanging certificates if XTLS was used for other purposes like file transfer is not possible. A client MUST NOT request the certificate over the insecure stream based on the connection to the XMPP server.

Example 9. Public keys request

<iq from='romeo@montague.lit/orchard'
    id='hf7634k'
    to='juliet@capulet.lit/balcony'
    type='get'>
  <pubkeys xmlns='urn:xmpp:tmp:pubkey'/>
</iq>
  

The peer MUST return its own client certificate. If the user has different clients with different client certificates and one user certificate, the user certificate SHOULD also be returned. The user certificate allows it to verify other client certificates using public key retrieval described in XEP-0189.

Example 10. Successful public keys response

<iq from='juliet@capulet.com/balcony'
    id='hf7634k'
    to='romeo@montague.lit/orchard'
    type='result'>
  <pubkeys xmlns='urn:xmpp:tmp:pubkey'>
    <keyinfo>
      <name>JulietX509CertificateHash</name>
      <x509cert>
        MIICCTCCAXKgAwIBAgIJALhU0Id6xxwQMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNV
        BAMTA2ZvbzAeFw0wNzEyMjgyMDA1MTRaFw0wODEyMjcyMDA1MTRaMA4xDDAKBgNV
        BAMTA2ZvbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0DPcfeJzKWLGE22p
        RMINLKr+CxqozF14DqkXkLUwGzTqYRi49yK6aebZ9ssFspTTjqa2uNpw1U32748t
        qU6bpACWHbcC+eZ/hm5KymXBhL3Vjfb/dW0xrtxjI9JRFgrgWAyxndlNZUpN2s3D
        hKDfVgpPSx/Zp8d/ubbARxqZZZkCAwEAAaNvMG0wHQYDVR0OBBYEFJWwFqmSRGcx
        YXmQfdF+XBWkeML4MD4GA1UdIwQ3MDWAFJWwFqmSRGcxYXmQfdF+XBWkeML4oRKk
        EDAOMQwwCgYDVQQDEwNmb2+CCQC4VNCHesccEDAMBgNVHRMEBTADAQH/MA0GCSqG
        SIb3DQEBBQUAA4GBAIhlUeGZ0d0msNVxYWAXg2lRsJt9INHJQTCJMmoUeTtaRjyp
        ffJtuopguNNBDn+MjrEp2/+zLNMahDYLXaTVmBf6zvY0hzB9Ih0kNTh23Fb5j+yK
        QChPXQUo0EGCaODWhfhKRNdseUozfNWOz9iTgMGw8eYNLllQRL//iAOfOr/8
      </x509cert>
    </keyinfo>
  </pubkeys>
</iq>
  

5.2 Verification of Non-Human Parties

If one of the parties is a "bot" (e.g., an automated service or a device such as a set-top box), the password exchange is a bit more complicated. It is similar to Bluetooth peering if the user has access to both clients at the same time. One of the following scenarios might apply:

  1. The bot can be controlled via a remote control input device. The human user can enter the same password or "PIN" on both the bot and the XMPP client.

  2. If the bot has no user input but does have a small display, it could display a random password. The human user can then enter the provided password on the XMPP client.

  3. The bot might have not enough buttons for input and has no output device. In that case the password is fixed. Similar to Bluetooth peering with simple devices such as a headset, the password will be written in the manual or printed on the device. For security reasons the device SHOULD NOT use password-based authentication without any user input. Many Bluetooth devices have at least one button to set the device into peering mode.

  4. A bot may be associated with a web service and could display a random password when the user has logged in to the web site using HTTPS. This assumes that an attacker does not have control over the web server and can perform a man-in-the-middle attack on XMPP level at the same time. If the web service knows the GPG-key of the user (e.g. launchpad) it could send an encrypted email.

A user might have different X.509 certificates for each device. Public Key Publishing [25] can be used to manage the user's certificates. A client SHOULD check the peer's PubSub node for certificates. This makes it possible to use the password method only once between two users even if one or both users switch clients. This makes it also possible for a user to communicate with a friend's bots. They first open a secure link between two chat clients with a password and exchange the user certificates. After that each user can verify all devices of the other without the need of a password.

The retrieved certificate from the PubSub node may be signed by a CA the client can verify. In that case the client MAY skip the password authentication and rely on the X.509 certificate chain. The client SHOULD ask the user if the certificate should be accepted or if a password exchange is desired.

6. Determining Support

If an entity wishes to request the use of XTLS, it SHOULD first determine whether the intended responder supports the protocol. This can be done directly via Service Discovery [26] or indirectly via Entity Capabilities [27].

If an entity supports XTLS, it MUST report that by including a service discovery feature of "urn:xmpp:jingle:security:xtls:0" in response to disco#info requests (see Protocol Namespaces regarding issuance of one or more permanent namespaces).

Example 11. Initial Service Discovery Information Request

<iq from='romeo@montague.lit/orchard'
    id='disco1'
    to='juliet@capulet.lit/chamber'
    type='get'>
  <query xmlns='http://jabber.org/protocol/disco#info'/>
</iq>
  

Example 12. Service Discovery Information Response

<iq from='juliet@capulet.lit/chamber'
    id='disco1'
    to='romeo@montague.lit/orchard'
    type='result'>
  <query xmlns='http://jabber.org/protocol/disco#info'>
    <feature var='urn:xmpp:jingle:security:xtls:0'/>
  </query>
</iq>
  

Both service discovery and entity capabilities information could be corrupted or intercepted; for details, see the Denial of Service section of this document.

7. Security Considerations

This entire document addresses security. Particular security-related issues are discussed in the following sections.

7.1 Mandatory-to-Implement Technologies

An implementation MUST at a minimum support the "srp" and "x509" methods. A future version of this specification will document mandatory-to-implement TLS ciphers.

7.2 Certificates

As noted, XTLS can be used between XMPP clients, between an XMPP client and a remote XMPP service (i.e., a service with which a client does not have a direct XML stream), or between remote XMPP services. Therefore, a party to an XTLS bytestream will present either a client certificate or a server certificate as appropriate. Such certificates MUST be generated and validated in accordance with the certificate guidelines guidelines provided in rfc3920bis [28].

A future version of this specification might provide additional guidelines regarding certificate validation in the context of client-to-client encryption.

7.3 Denial of Service

The Jingle stanzas are not encrypted or signed; the same is true of service discovery exchanges and entity capabilities data. Therefore it is possible for an attacker to intercept these stanzas and modify them, thus convincing the initiator that the responder does not support XTLS and therefore denying the parties an opportunity to use XTLS.

A future version of this specification might address this problem.

8. IANA Considerations

This document requires no interaction with the Internet Assigned Numbers Authority (IANA) [29].

9. XMPP Registrar Considerations

9.1 Protocol Namespaces

This specification defines the following XML namespace:

Upon advancement of this specification from a status of Experimental to a status of Draft, the XMPP Registrar [30] shall add the foregoing namespace to the registry located at <http://xmpp.org/registrar/namespaces.html>, as described in Section 4 of XMPP Registrar Function [31].

9.2 Protocol Versioning

If the protocol defined in this specification undergoes a revision that is not fully backwards-compatible with an older version, the XMPP Registrar shall increment the protocol version number found at the end of the XML namespaces defined herein, as described in Section 4 of XEP-0053.

9.3 XTLS Methods Registry

The XMPP Registrar shall create a registry of TLS methods that can be used in the context of XTLS.

9.3.1 Process

In order to submit new values to this registry, the registrant shall define an XML fragment of the following form and either include it in the relevant XMPP Extension Protocol or send it to the email address <registrar@xmpp.org>:

<method>
  <name>the XML character data of the TLS method name</name>
  <desc>a natural-language description of the method</desc>
  <doc>the document that specifies or registers the method</doc>
</method>
      

The registrant can register more than one TLS method at a time, each contained in a separate <method/> element.

9.3.2 Registration

The initial registration is as follows.

<method>
  <name>openpgp</name>
  <desc>exchange of OpenPGP keys</desc>
  <doc>RFC 5081</doc>
</method>

<method>
  <name>srp</name>
  <desc>exchange of secure remote passwords</desc>
  <doc>RFC 5054</doc>
</method>

<method>
  <name>x509</name>
  <desc>exchange of X.509 certificates</desc>
  <doc>RFC 5246</doc>
</method>
      

10. XML Schema

The XML schema will be provided in a later version of this document.


Appendices


Appendix A: Document Information

Series: XEP
Number: xxxx
Publisher: XMPP Standards Foundation
Status: ProtoXEP
Type: Standards Track
Version: 0.0.4
Last Updated: 2009-02-21
Approving Body: XMPP Council
Dependencies: XMPP Core, RFC 4346, XEP-0250
Supersedes: None
Superseded By: None
Short Name: NOT_YET_ASSIGNED


Appendix B: Author Information

Dirk Meyer

Email: dmeyer@tzi.de
JabberID: dmeyer@jabber.org

Peter Saint-Andre

JabberID: stpeter@jabber.org
URI: https://stpeter.im/


Appendix C: Legal Notices

Copyright

This XMPP Extension Protocol is copyright (c) 1999 - 2009 by the XMPP Standards Foundation (XSF).

Permissions

Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the "Specification"), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specification, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or substantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or publisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.

Disclaimer of Warranty

## NOTE WELL: This Specification is provided on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. In no event shall the XMPP Standards Foundation or the authors of this Specification be liable for any claim, damages, or other liability, whether in an action of contract, tort, or otherwise, arising from, out of, or in connection with the Specification or the implementation, deployment, or other use of the Specification. ##

Limitation of Liability

In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall the XMPP Standards Foundation or any author of this Specification be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising out of the use or inability to use the Specification (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if the XMPP Standards Foundation or such author has been advised of the possibility of such damages.

IPR Conformance

This XMPP Extension Protocol has been contributed in full conformance with the XSF's Intellectual Property Rights Policy (a copy of which may be found at <http://xmpp.org/extensions/ipr-policy.shtml> or obtained by writing to XSF, P.O. Box 1641, Denver, CO 80201 USA).

Appendix D: Relation to XMPP

The Extensible Messaging and Presence Protocol (XMPP) is defined in the XMPP Core (RFC 3920) and XMPP IM (RFC 3921) specifications contributed by the XMPP Standards Foundation to the Internet Standards Process, which is managed by the Internet Engineering Task Force in accordance with RFC 2026. Any protocol defined in this document has been developed outside the Internet Standards Process and is to be understood as an extension to XMPP rather than as an evolution, development, or modification of XMPP itself.


Appendix E: Discussion Venue

The primary venue for discussion of XMPP Extension Protocols is the <standards@xmpp.org> discussion list.

Discussion on other xmpp.org discussion lists might also be appropriate; see <http://xmpp.org/about/discuss.shtml> for a complete list.

Given that this XMPP Extension Protocol normatively references IETF technologies, discussion on the <xsf-ietf@xmpp.org> list might also be appropriate.

Errata may be sent to <editor@xmpp.org>.


Appendix F: Requirements Conformance

The following requirements keywords as used in this document are to be interpreted as described in RFC 2119: "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".


Appendix G: Notes

1. XEP-0027: Current Jabber OpenPGP Usage <http://xmpp.org/extensions/xep-0027.html>.

2. RFC 3923: End-to-End Signing and Object Encryption for the Extensible Messaging and Presence Protocol (XMPP) <http://tools.ietf.org/html/rfc3923>.

3. XEP-0218: Bootstrapping Implementation of Encrypted Sessions <http://xmpp.org/extensions/xep-0218.html>.

4. The XMPP Standards Foundation (XSF) is an independent, non-profit membership organization that develops open extensions to the IETF's Extensible Messaging and Presence Protocol (XMPP). For further information, see <http://xmpp.org/xsf/>.

5. RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1 <http://tools.ietf.org/html/rfc4346>.

6. RFC 2818: HTTP Over TLS <http://tools.ietf.org/html/rfc2818>.

7. RFC 4347: Datagram Transport Layer Security <http://tools.ietf.org/html/rfc4347>.

8. RFC 3920: Extensible Messaging and Presence Protocol (XMPP): Core <http://tools.ietf.org/html/rfc3920>.

9. XEP-0166: Jingle <http://xmpp.org/extensions/xep-0166.html>.

10. XEP-0247: Jingle XML Streams <http://xmpp.org/extensions/xep-0247.html>.

11. XEP-0045: Multi-User Chat <http://xmpp.org/extensions/xep-0045.html>.

12. XEP-0234: Jingle File Transfer <http://xmpp.org/extensions/xep-0234.html>.

13. XEP-0167: Jingle RTP Sessions <http://xmpp.org/extensions/xep-0167.html>.

14. Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP) <http://tools.ietf.org/html/draft-ietf-avt-dtls-srtp>. Work in progress.

15. XEP-0210: Requirements for Encrypted Sessions <http://xmpp.org/extensions/xep-0210.html>.

16. XEP-0047: In-Band Bytestreams <http://xmpp.org/extensions/xep-0047.html>.

17. RFC 4347: Datagram Transport Layer Security <http://tools.ietf.org/html/rfc4347>.

18. XEP-0261: Jingle In-Band Bytestreams Transport Method <http://xmpp.org/extensions/xep-0261.html>.

19. XEP-0261: Jingle In-Band Bytestreams Transport Method <http://xmpp.org/extensions/xep-0261.html>.

20. XEP-0260: Jingle SOCKS5 Bytestreams Transport Method <http://xmpp.org/extensions/xep-0260.html>.

21. XEP-0176: Jingle ICE-UDP Transport Method <http://xmpp.org/extensions/xep-0176.html>.

22. RFC 5054: Using the Secure Remote Password (SRP) Protocol for TLS Authentication <http://tools.ietf.org/html/rfc5054>.

23. Salted Challenge Response (SCRAM) SASL Mechanism <http://tools.ietf.org/html/draft-newman-auth-scram>. Work in progress.

24. RFC 5056: On the Use of Channel Bindings to Secure Channels <http://tools.ietf.org/html/rfc5056>.

25. XEP-0189: Public Key Publishing <http://xmpp.org/extensions/xep-0189.html>.

26. XEP-0030: Service Discovery <http://xmpp.org/extensions/xep-0030.html>.

27. XEP-0115: Entity Capabilities <http://xmpp.org/extensions/xep-0115.html>.

28. rfc3920bis: proposed revisions to Extensible Messaging and Presence Protocol (XMPP): Core <http://tools.ietf.org/html/draft-saintandre-rfc3920bis>. (work in progress)

29. The Internet Assigned Numbers Authority (IANA) is the central coordinator for the assignment of unique parameter values for Internet protocols, such as port numbers and URI schemes. For further information, see <http://www.iana.org/>.

30. The XMPP Registrar maintains a list of reserved protocol namespaces as well as registries of parameters used in the context of XMPP extension protocols approved by the XMPP Standards Foundation. For further information, see <http://xmpp.org/registrar/>.

31. XEP-0053: XMPP Registrar Function <http://xmpp.org/extensions/xep-0053.html>.


Appendix H: Revision History

Version 0.0.4 (2009-02-21)

Improved the documentation about exchanging passwords and certificates.

(dm)

Version 0.0.3 (2009-02-20)

Simplified the syntax; added sections on requirements and approach; more clearly specified methods of bootstrapping trust on the first communication session.

(psa/dm)

Version 0.0.2 (2009-02-20)

Clarified order of events to be consistent with jingle-s5b; used TLS-SRP for password based authentication; added some documentation about password authentication in general.

(dm)

Version 0.0.1 (2009-02-12)

First draft, based on previous attempts for end-to-end security.

(dm)

END