Last Call Review of draft-ietf-xmpp-3920bis-
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.
The document updates RFC 3920, which is the definition of the core XMPP
real-time messaging protocol. It should be noted the instant messaging
and presence are layered on top of this protocol, and specified separately.
The document is initially intimidating, because of its length. But it is
extremely well written (for which I would like to thank the editor) and
well organized. So overall, a good read.
I have not found anything that I consider a glaring security hole. But
this is a layered security architecture (application layer == XMPP core
== SASL == TLS) which is not easy to do right. Hence the large number of
comments and questions below.
I also appreciate the open discussion of the existing implementations
and their security issues (e.g. "server dialback", shiver). I hope this
document results in a security improvement in real deployments.
Note: these comments are based on rev -17 of the draft. This only
matters as far as section numbers, with the only security-relevant
change in -18 being a useful note on end-to-end protection.
- 1.3: Implementation note: I suggest adding something like "Solutions
specified in this document offer a significantly better level of security."
- 3.3: why do we not recommend to use TLS (stateless) session resumption
- 4.2.5 the access control rule at the bottom of this section makes
sense. Why why does it explicitly not apply to elements other than XML
stanzas? Are there cases where you negotiate TLS with someone other than
the server? You can even imagine weird tunneling attacks using this
- 4.2.5: "other than itself" - am I really allowed to send "message"
stanzas from one resource of a JID to another resource of the same JID,
before feature negotiation and before TLS negotiation?
- 4.2.6: why do we even allow non-SASL protected server-to-server
- 4.3: How is TLS negotiated for the additional streams? How is it bound
to the SASL negotiation that (apparently) only takes place once?
- 4.4: this section appears to tie the two streams in the opposite
directions together - when you close one you expect the other guy to
close the other ASAP. But what is the behavior for "multiple streams
over multiple connections" (Sec. 4.3)?
- 4.4: what about orderly tear-down of the TLS association ("closure
- 22.214.171.124: does not-authorized only refer to stream-level, rather than
stanza-level errors? Are there cases when I am authorized to send some
stanza types but not others?
- 126.96.36.199 remote-connection-failed has dubious security benefit (why
tell the world that your RADIUS server is down), compared to reusing
- 188.8.131.52: shouldn't we say that "reset" (when the stream is encrypted)
also applies to the higher layers, i.e. encryption and authentication
should be performed again?
- 184.108.40.206: what are the security implications of a "redirect"? Should
the client apply the same policy, e.g. for using TLS, as for the
original server? Which "to" identity to use? Can redirection occur
before the recipient is even authenticated?
- 4.9: Don't we resend the "stream" header again after completing the
TLS negotiation (Sec. 4.2.3).
- 5.3.5: the text mentions that client certificates are "sufficiently
rare", which is a pity because they do make sense for server-to-server
interaction. So I suggest to promote renegotiation from OPTIONAL to
- 5.3.6: extensions may be out of scope. But I think we need to include
a few words re: the TLS version, at least to prohibit SSL 3.0.
- 5.4.1: don't you have to declare version >= 1.0 if you simply support
this draft? Same question in 6.4.1.
- 220.127.116.11: why is the initiator required to present a certificate "So
that mutual authentication will be possible"? There are many other ways
of ensuring mutual auth. I suggest to reword as "mutual certificate
- Global replace TLS "cipher" -> "ciphersuite".
- 18.104.22.168, bullet 5: actually, based on the "from" attribute that the
receiving entity has just sent.
- 22.214.171.124: where do we say that both sides must validate the "to" and
"from" identities in view of the identities presented at the TLS layer
- 6.3.2: do you restart the stream twice, once after TLS and once after
- 6.3.3: shouldn't we simply "MUST NOT" the PLAIN mechanism?
- 6.3.7: and what is the identity used for server-to-server auth? Also,
it is very uncommon to consider the password as part of the identity.
- 6.4.4: isn't it inconsistent that SASL aborts are converted into XMPP
failures, but TLS failures are not?
- 126.96.36.199: the preferred option #1, while reasonable in itself, does not
allow the client to determine its own policy (whether it wants multiple
sessions from multiple devices or not).
- 188.8.131.52: any validated domain -> any validated subdomain.
- 8.3.1, rule #2: if the error is a result of something gone bad with
the addresses, then simply swapping "to" and "from" may not be
appropriate, and may even be a security issue.
- Same, rule #6, the recipient MUST NOT include the original XML if it's
not well formed, right?
- 8.3.2: MUST NOT... be presented to the human user - this is impossible
to enforce, and most likely will not be followed. Moreover, there's a
reason why we include a language tag. I suggest to tone it down a bit.
- 184.108.40.206: what are "improper credentials"? It sounds like we are not
differentiating the conditions of authentication failure vs.
- 220.127.116.11: the "security note" doesn't makes sense to me - no matter
what error code is returned, the sender has gained information that we
don't want to provide. The note should say something along the lines of:
such services must not be available to entities that cannot be trusted
with knowing the status of an arbitrary recipient. See also 18.104.22.168.
- 22.214.171.124: Are there no security implications to redirection at the
- 126.96.36.199: The "wait" error type might not be appropriate for some
situations, e.g. authentication issues.
- 188.8.131.52: do you explain anywhere what is the difference between
"prior registration" and "prior subscription"?
- 9.1.1, step 7: this is utterly trivial, but please mention that the
new "stream" element is sent over TLS.
- 9.1.5: as I noted in Sec. 4.4, the TLS connection needs to be closed
- 10.2: "try many different resources", I suppose it is typically fewer
than 10 per JID, which does not make the attack uninteresting.
- 10.4.2: if the protocol supports routing, shouldn't we mention that
there are cases where the IQ stanza will be forwarded to another server,
not the one mentioned in the "To" header? And what about loop prevention?
- 10.5.3.3: this is a strange rule. Does it mean that if I'm using a
desktop (/desktop) and a mobile (/mobile), and I'm connected to the
desktop, I cannot have messages targeted at my mobile be deferred (and
stored somewhere) until I connect from that device?
- 13.4: "for the ensuring" -> "for ensuring" (or: to ensure).
- 13.4: the security note is confusing, because it is unclear whether it
has any normative status. Otherwise, it is almost trivial: of course you
can provide these guarantees by different means.
- 13.4: the cipher suites are not just "nun-null". They MUST provide
both confidentiality and integrity.
- 13.6: the out-of-band trust chain rule may be practical for
server-to-server connections, but probably not for large client
deployments and when certificates are sometimes rolled over.
- 13.7: terminology: "mutual authentication" describes authentication
with client certs, just as much as it describes the server presenting a
cert and the client authenticating with SASL. This also applies to 5.4.3.
- 184.108.40.206: The word "issuer" is ambiguous. It usually refers to a
person/organization, but here you use it to refer to the certificate
itself. How about replacing the heading of the second list by: "the
following rules apply to issuer certificates, used to sign XMPP
- 220.127.116.11: it's strange to specify the hash algorithm, but not the
signature algorithm (RSA-512 anyone?)
- 18.104.22.168: what are "access certificates"? Neither 5280 nor Google can
help... And how can an issuer cert NOT be marked with the CA bit?
- 22.214.171.124: and most important, is the "relying party" (e.g. the client)
required to check all these rules and fail validation if any of them is
- 126.96.36.199.2: enabling entity -> enabling entities.
- 188.8.131.52: "conjuction" misspelled.
- 13.7.2: "An implementation MUST enable a human user to view
information about the certification path." I'm afraid this is security
theater, because 99.5% of your target population cannot understand this
- 184.108.40.206.1: "MUST either validate" - incomplete sentence (and
actually, at a sensitive point in the text).
- 220.127.116.11.1, subcase #3: please mention that some servers will simply
fail validation at this point, subject to their policy. I.e., some might
insist on correct client certs.
- 18.104.22.168: "periodically query OCSP" - is there any guidance about the
period? Is a recommended period specified in the cert or communicated by
the OCSP responder?
- 13.7.2: a silly question, but anyway: where do you say that the
client's cert is correlated with the client's JID, as it appears in the
From line (when setting up the original stream and/or when setting the
stream anew after TLS negotiation)? And vice versa, for the server cert
and the client's To header.
- 13.8: I suggest to add (here or elsewhere): "All password-based
mechanisms are susceptible to password guessing attacks, and therefore
the authenticator MUST implement common rate-limiting mitigations."
- 13.8: "For both confidentiality and authentication with passwords" -
here you don't specify a TLS ciphersuite.
- 13.8: the note kind of implies that PLAIN is preferable to DIGEST-MD5,
which is clearly not the case.
- 13.9.4: why is SASL-PLAIN singled out here? Other mechanisms are
susceptible to off-line password guessing when used without TLS
confidentiality, which is not a trivial attack but still a significant risk.
- 13.11: all three examples of "service unavailable" can be ruled out on
an operational server. Are there no better examples?
- 15: The sasl-whitespace "feature" is not really a feature, because
you'd fail any interoperability if you send whitespace during the SASL
phase, right? Similarly tls-whitespace.
- 15: if we insist on PLAIN, I would expect a security-mti-auth-order
feature, where the proposals are ordered right (i.e. with PLAIN at the end).
- 15: why is confidentiality-only a MUST? Is it widely deployed? Is it
required for backward compatibility? By the way, please expand the
acronym MTI somewhere.
- 15: and hey, there's no feature defined for TLS+SCRAM+? Isn't this the
one we want/expect to be deployed?
- 15: stanza-* features - if you have an XML schema, can't you just say
that conformance to the schema is REQUIRED and eliminate all this stuff?
Given that these are MUSTs, not SHOULDs, a formal specification is so
much easier to validate. This does *not* contradict the fact that
runtime validation is optional.
- 15: I would expect one or a few features around validation of
identities at the various layers, since we're spending much of the
document on this issue. "tls-certs" is an important piece of that, but
not the whole thing.