draft-ietf-xmpp-dna-11.txt   rfc7712.txt 
Network Working Group P. Saint-Andre Internet Engineering Task Force (IETF) P. Saint-Andre
Internet-Draft &yet Request for Comments: 7712 &yet
Intended status: Standards Track M. Miller Category: Standards Track M. Miller
Expires: March 4, 2016 Cisco Systems, Inc. ISSN: 2070-1721 Cisco Systems, Inc.
P. Hancke P. Hancke
&yet &yet
September 1, 2015 November 2015
Domain Name Associations (DNA) in the Extensible Messaging and Presence Domain Name Associations (DNA)
Protocol (XMPP) in the Extensible Messaging and Presence Protocol (XMPP)
draft-ietf-xmpp-dna-11
Abstract Abstract
This document improves the security of the Extensible Messaging and This document improves the security of the Extensible Messaging and
Presence Protocol (XMPP) in two ways. First, it specifies how to Presence Protocol (XMPP) in two ways. First, it specifies how to
establish a strong association between a domain name and an XML establish a strong association between a domain name and an XML
stream, using the concept of "prooftypes". Second, it describes how stream, using the concept of "prooftypes". Second, it describes how
to securely delegate a service domain name (e.g., example.com) to a to securely delegate a service domain name (e.g., example.com) to a
target server host name (e.g., hosting.example.net), which is target server hostname (e.g., hosting.example.net); this is
especially important in multi-tenanted environments where the same especially important in multi-tenanted environments where the same
target server hosts a large number of domains. target server hosts a large number of domains.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on March 4, 2016. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7712.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction ....................................................3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology .....................................................4
3. Client-to-Server (C2S) DNA . . . . . . . . . . . . . . . . . 4 3. Client-to-Server (C2S) DNA ......................................4
3.1. C2S Flow . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. C2S Flow ...................................................4
3.2. C2S Description . . . . . . . . . . . . . . . . . . . . . 4 3.2. C2S Description ............................................5
4. Server-to-Server (S2S) DNA . . . . . . . . . . . . . . . . . 5 4. Server-to-Server (S2S) DNA ......................................5
4.1. S2S Flow . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. S2S Flow ...................................................6
4.2. A Simple S2S Scenario . . . . . . . . . . . . . . . . . . 9 4.2. A Simple S2S Scenario .....................................10
4.3. No Mutual PKIX Authentication . . . . . . . . . . . . . . 10 4.3. No Mutual PKIX Authentication .............................12
4.4. Piggybacking . . . . . . . . . . . . . . . . . . . . . . 12 4.4. Piggybacking ..............................................13
4.4.1. Assertion . . . . . . . . . . . . . . . . . . . . . . 12 4.4.1. Assertion ..........................................13
4.4.2. Supposition . . . . . . . . . . . . . . . . . . . . . 13 4.4.2. Supposition ........................................15
5. Alternative Prooftypes . . . . . . . . . . . . . . . . . . . 14 5. Alternative Prooftypes .........................................16
5.1. DANE . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.1. DANE ......................................................16
5.2. POSH . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.2. POSH ......................................................17
6. Secure Delegation and Multi-Tenancy . . . . . . . . . . . . . 16 6. Secure Delegation and Multi-Tenancy ............................18
7. Prooftype Model . . . . . . . . . . . . . . . . . . . . . . . 17 7. Prooftype Model ................................................18
8. Guidance for Server Operators . . . . . . . . . . . . . . . . 17 8. Guidance for Server Operators ..................................19
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 9. IANA Considerations ............................................20
9.1. POSH Service Name for xmpp-client Service . . . . . . . . 18 9.1. POSH Service Name for xmpp-client Service .................20
9.2. POSH Service Name for xmpp-server Service . . . . . . . . 19 9.2. POSH Service Name for xmpp-server Service .................20
10. Security Considerations . . . . . . . . . . . . . . . . . . . 19 10. Security Considerations .......................................20
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 11. References ....................................................21
11.1. Normative References . . . . . . . . . . . . . . . . . . 19 11.1. Normative References .....................................21
11.2. Informative References . . . . . . . . . . . . . . . . . 21 11.2. Informative References ...................................23
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 22 Acknowledgements ..................................................24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses ................................................24
1. Introduction 1. Introduction
In systems that use the Extensible Messaging and Presence Protocol In systems that use the Extensible Messaging and Presence Protocol
(XMPP) [RFC6120], it is important to establish a strong association (XMPP) [RFC6120], it is important to establish a strong association
between the DNS domain name of an XMPP service (e.g., example.com) between the DNS domain name of an XMPP service (e.g., example.com)
and the XML stream that a client or peer server initiates with that and the XML stream that a client or peer server initiates with that
service. In other words, the client or peer server needs to verify service. In other words, the client or peer server needs to verify
the identity of the server to which it connects. Additionally, the identity of the server to which it connects. Additionally,
servers need to verify incoming connections from other servers. servers need to verify incoming connections from other servers.
To date, such verification has been established based on information To date, such verification has been established based on information
obtained from the Domain Name System (DNS), the Public Key obtained from the Domain Name System (DNS), the Public Key
Infrastructure (PKI), or similar sources. In particular, XMPP as Infrastructure (PKI), or similar sources. In particular, XMPP as
defined in [RFC6120] assumed that domain name associations are to be defined in [RFC6120] assumed that Domain Name Associations (DNA) are
proved using the "PKIX prooftype"; that is, the server's proof to be proved using the "PKIX prooftype"; that is, the server's proof
consists of a PKIX certificate that is checked according to the XMPP consists of a PKIX certificate that is checked according to the XMPP
profile of the matching rules from [RFC6125] (and the overall profile of the matching rules from [RFC6125] (and the overall
validation rules from [RFC5280]), the client's verification material validation rules from [RFC5280]), the client's verification material
is obtained out of band in the form of a trusted root, and secure DNS is obtained out of band in the form of a trusted root, and secure DNS
is not necessary. is not necessary.
By extending the concept of a domain name association within XMPP, By extending the concept of a domain name association within XMPP,
this document does the following: this document does the following:
1. Generalizes the model currently in use so that additional 1. Generalizes the model currently in use so that additional
prooftypes can be defined if needed. prooftypes can be defined if needed.
2. Provides a basis for modernizing some prooftypes to reflect 2. Provides a basis for modernizing some prooftypes to reflect
progress in underlying technologies such as DNS Security progress in underlying technologies such as DNS Security
[RFC4033]. [RFC4033].
3. Describes the flow of operations for establishing a domain name 3. Describes the flow of operations for establishing a domain name
association (DNA). association.
This document also provides guidelines for secure delegation of a This document also provides guidelines for secure delegation of a
service domain name (e.g., example.com) to a target server host name service domain name (e.g., example.com) to a target server hostname
(e.g., hosting.example.net). The need for secure delegation arises (e.g., hosting.example.net). The need for secure delegation arises
because the process for resolving the domain name of an XMPP service because the process for resolving the domain name of an XMPP service
into the IP address at which an XML stream will be negotiated (see into the IP address at which an XML stream will be negotiated (see
[RFC6120]) can involve delegation of a service domain name to a [RFC6120]) can involve delegation of a service domain name to a
target server host name using technologies such as DNS SRV records target server hostname using technologies such as DNS SRV records
[RFC2782]. A more detailed description of the delegation problem can [RFC2782]. A more detailed description of the delegation problem can
be found in [I-D.ietf-xmpp-posh]. The domain name association can be be found in [RFC7711]. The domain name association can be verified
verified only if the delegation is done in a secure manner. only if the delegation is done in a secure manner.
2. Terminology 2. Terminology
This document inherits XMPP terminology from [RFC6120] and This document inherits XMPP terminology from [RFC6120] and
[XEP-0220], DNS terminology from [RFC1034], [RFC1035], [RFC2782] and [XEP-0220]; DNS terminology from [RFC1034], [RFC1035], [RFC2782], and
[RFC4033], and security terminology from [RFC4949] and [RFC5280]. [RFC4033]; and security terminology from [RFC4949] and [RFC5280].
The terms "reference identity", and "presented identity" are used as The terms "reference identity" and "presented identity" are used as
defined in the "CertID" specification [RFC6125]. For the sake of defined in the "CertID" specification [RFC6125]. For the sake of
consistency with [I-D.ietf-dane-srv], this document uses the terms consistency with [RFC7673], this document uses the terms "service
"service domain name" and "target server host name" to refer to the domain name" and "target server hostname" to refer to the same
same entities identified by the terms "source domain" and "derived entities identified by the terms "source domain" and "derived domain"
domain" from [RFC6125]. from [RFC6125].
3. Client-to-Server (C2S) DNA 3. Client-to-Server (C2S) DNA
The client-to-server case is much simpler than the server-to-server The client-to-server case is much simpler than the server-to-server
case because the client does not assert a domain name, which means case because the client does not assert a domain name; this means
verification happens in only one direction. Therefore we describe that verification happens in only one direction. Therefore, we
this case first to help the reader understand domain name describe this case first to help the reader understand domain name
associations in XMPP. associations in XMPP.
3.1. C2S Flow 3.1. C2S Flow
The following flow chart illustrates the protocol flow for The following flow chart illustrates the protocol flow for
establishing a domain name association for an XML stream from a establishing a domain name association for an XML stream from a
client (C) to a server (S) using the standard PKIX prooftype client (C) to a server (S) using the standard PKIX prooftype
specified in [RFC6120]. specified in [RFC6120].
| |
skipping to change at page 4, line 43 skipping to change at page 5, line 8
| S: Server Certificate | | S: Server Certificate |
| | | |
+----------------------------------------------------+ +----------------------------------------------------+
| |
(client checks certificate and (client checks certificate and
establishes DNA for a.example) establishes DNA for a.example)
3.2. C2S Description 3.2. C2S Description
The simplified order of events (see [RFC6120] for details) in The simplified order of events (see [RFC6120] for details) in
establishing an XML stream from a client (user@a.exmaple) to a server establishing an XML stream from a client (user@a.example) to a server
(a.example) is as follows: (a.example) is as follows:
1. The client resolves via DNS the service _xmpp- 1. The client resolves via DNS the service
client._tcp.a.example. _xmpp-client._tcp.a.example.
2. The client opens a TCP connection to the resolved IP address. 2. The client opens a TCP connection to the resolved IP address.
3. The client sends an initial stream header to the server: 3. The client sends an initial stream header to the server:
<stream:stream to='a.example'> <stream:stream to='a.example'>
4. The server sends a response stream header to the client, 4. The server sends a response stream header to the client,
asserting that it is a.example: asserting that it is a.example:
skipping to change at page 5, line 27 skipping to change at page 5, line 40
if the proof is consistent with the XMPP profile of the matching if the proof is consistent with the XMPP profile of the matching
rules from [RFC6125] and the certificate is otherwise valid rules from [RFC6125] and the certificate is otherwise valid
according to [RFC5280], the client accepts that there is a strong according to [RFC5280], the client accepts that there is a strong
domain name association between its stream to the target server domain name association between its stream to the target server
and the DNS domain name of the XMPP service. and the DNS domain name of the XMPP service.
The certificate that the server presents might not be acceptable to The certificate that the server presents might not be acceptable to
the client. As one example, the server might be hosting multiple the client. As one example, the server might be hosting multiple
domains and secure delegation as described in Section 6 is necessary. domains and secure delegation as described in Section 6 is necessary.
As another example, the server might present a self-signed As another example, the server might present a self-signed
certificate, which requires the client to apply either the fallback certificate, which requires the client to either (1) apply the
process described in section 6.6.4 of [RFC6125] or prompt the user to fallback process described in Section 6.6.4 of [RFC6125] or
accept an unauthenticated connection as described in Section 3.4 of (2) prompt the user to accept an unauthenticated connection as
[RFC7590]. described in Section 3.4 of [RFC7590].
4. Server-to-Server (S2S) DNA 4. Server-to-Server (S2S) DNA
The server-to-server case is significantly more complex than the The server-to-server case is significantly more complex than the
client-to-server case, and involves checking of domain name client-to-server case, and it involves the checking of domain name
associations in both directions along with other "wrinkles" described associations in both directions along with other "wrinkles"
in the following sections. In some parts of the flow, server-to- described in the following sections. In some parts of the flow,
server communications use the Server Dialback protocol first server-to-server communications use the Server Dialback protocol
specified in (the now obsolete) [RFC3920] and since moved to first specified in (the now obsolete) [RFC3920] and since moved to
[XEP-0220]. See "Impact of TLS and DNSSEC on Dialback" [XEP-0344] [XEP-0220]. See "Impact of TLS and DNSSEC on Dialback" [XEP-0344]
for considerations when using it together with TLS and DNSSEC. Also, for considerations when using it together with TLS and DNSSEC. Also,
"Bidirectional Server-to-Server Connections" [XEP-0288] provides a "Bidirectional Server-to-Server Connections" [XEP-0288] provides a
way to use the server-to-server connections for bidirectional way to use the server-to-server connections for bidirectional
exchange of XML stanzas, which reduces the complexity of some of the exchange of XML stanzas, which reduces the complexity of some of the
processes involved. processes involved.
4.1. S2S Flow 4.1. S2S Flow
The following flow charts illustrate the protocol flow for The following flow charts illustrate the protocol flow for
establishing domain name associations between Server 1 (the establishing domain name associations between Server 1 (the
initiating entity) and Server 2 (the receiving entity), as described initiating entity) and Server 2 (the receiving entity), as described
in the remaining sections of this document. in the remaining sections of this document.
A simple S2S scenario would be as follows. A simple S2S scenario would be as follows:
| |
DNS RESOLUTION ETC. DNS RESOLUTION ETC.
| |
+-------------STREAM HEADERS--------------------+ +-------------STREAM HEADERS--------------------+
| | | |
| A: <stream from='a.example' to='b.example'> | | A: <stream from='a.example' to='b.example'> |
| | | |
| B: <stream from='b.example' to='a.example'> | | B: <stream from='b.example' to='a.example'> |
| | | |
skipping to change at page 6, line 30 skipping to change at page 7, line 6
| B: Server Certificate | | B: Server Certificate |
| B: Certificate Request | | B: Certificate Request |
| A: Client Certificate | | A: Client Certificate |
| | | |
+-----------------------------------------------+ +-----------------------------------------------+
| |
(A establishes DNA for b.example) (A establishes DNA for b.example)
| |
After the domain name association has been established in one After the domain name association has been established in one
direction, it is possible to perform mutual authentication using direction, it is possible to perform mutual authentication using the
Simple Authentication and Security Layer (SASL) [RFC4422] and thus Simple Authentication and Security Layer (SASL) [RFC4422] and thus
establish domain name associations in both directions. establish domain name associations in both directions.
| |
+-------------AUTHENTICATION--------------------+ +-------------AUTHENTICATION--------------------+
| | | | | |
| {valid client certificate?} --+ | | {valid client certificate?} --+ |
| | | | | | | |
| | yes no | | | | yes no | |
| v | | | v | |
skipping to change at page 7, line 5 skipping to change at page 7, line 30
+-------------------------------------|---------+ +-------------------------------------|---------+
| |
However, if mutual authentication cannot be completed using SASL, the However, if mutual authentication cannot be completed using SASL, the
receiving server needs to establish a domain name association in receiving server needs to establish a domain name association in
another way. This scenario is described in Section 4.3. another way. This scenario is described in Section 4.3.
| |
+-----------------+ +-----------------+
| |
(Section 4.3: No Mutual PKIX authentication) (Section 4.3: No Mutual PKIX Authentication)
| |
| B needs to establish DNA | B needs to establish DNA
| for this stream from a.example, | for this stream from a.example,
| so A asserts its identity | so A asserts its identity
| |
+----------DIALBACK IDENTITY ASSERTION----------+ +----------DIALBACK IDENTITY ASSERTION----------+
| | | |
| A: <db:result from='a.example' | | A: <db:result from='a.example' |
| to='b.example'> | | to='b.example'> |
| some-dialback-key | | some-dialback-key |
skipping to change at page 8, line 25 skipping to change at page 9, line 18
| |
(Section 4.4.1: Piggybacking Assertion) (Section 4.4.1: Piggybacking Assertion)
| |
+----------DIALBACK IDENTITY ASSERTION----------+ +----------DIALBACK IDENTITY ASSERTION----------+
| | | |
| B: <db:result from='c.example' | | B: <db:result from='c.example' |
| to='a.example'/> | | to='a.example'/> |
| | | |
+-----------------------------------------------+ +-----------------------------------------------+
| |
+-----------DNA DANCE AS ABOVE------------------+ +-------DNA ESTABLISHMENT AS ABOVE--------------+
| | | |
| DNS RESOLUTION, STREAM HEADERS, | | DNS RESOLUTION, STREAM HEADERS, |
| TLS NEGOTIATION, AUTHENTICATION | | TLS NEGOTIATION, AUTHENTICATION |
| | | |
+-----------------------------------------------+ +-----------------------------------------------+
| |
+----------DIALBACK IDENTITY VERIFICATION-------+ +----------DIALBACK IDENTITY VERIFICATION-------+
| | | |
| A: <db:result from='a.example' | | A: <db:result from='a.example' |
| to='c.example' | | to='c.example' |
skipping to change at page 9, line 18 skipping to change at page 10, line 20
+-----------SUBSEQUENT CONNECTION---------------+ +-----------SUBSEQUENT CONNECTION---------------+
| | | |
| B: <stream from='c.example' | | B: <stream from='c.example' |
| to='rooms.a.example'> | | to='rooms.a.example'> |
| | | |
| A: <stream from='rooms.a.example' | | A: <stream from='rooms.a.example' |
| to='c.example'> | | to='c.example'> |
| | | |
+-----------------------------------------------+ +-----------------------------------------------+
| |
+-----------DNA DANCE AS ABOVE------------------+ +-------DNA ESTABLISHMENT AS ABOVE--------------+
| | | |
| DNS RESOLUTION, STREAM HEADERS, | | DNS RESOLUTION, STREAM HEADERS, |
| TLS NEGOTIATION, AUTHENTICATION | | TLS NEGOTIATION, AUTHENTICATION |
| | | |
+-----------------------------------------------+ +-----------------------------------------------+
| |
+-----------DIALBACK OPTIMIZATION---------------+ +-----------DIALBACK OPTIMIZATION---------------+
| | | |
| B: <db:result from='c.example' | | B: <db:result from='c.example' |
| to='rooms.a.example'/> | | to='rooms.a.example'/> |
skipping to change at page 9, line 42 skipping to change at page 10, line 44
| type='valid'/> | | type='valid'/> |
| | | |
+-----------------------------------------------+ +-----------------------------------------------+
4.2. A Simple S2S Scenario 4.2. A Simple S2S Scenario
To illustrate the problem, consider the simplified order of events To illustrate the problem, consider the simplified order of events
(see [RFC6120] for details) in establishing an XML stream between (see [RFC6120] for details) in establishing an XML stream between
Server 1 (a.example) and Server 2 (b.example): Server 1 (a.example) and Server 2 (b.example):
1. Server 1 resolves via DNS the service _xmpp- 1. Server 1 resolves via DNS the service
server._tcp.b.example. _xmpp-server._tcp.b.example.
2. Server 1 opens a TCP connection to the resolved IP address. 2. Server 1 opens a TCP connection to the resolved IP address.
3. Server 1 sends an initial stream header to Server 2, asserting 3. Server 1 sends an initial stream header to Server 2, asserting
that it is a.example: that it is a.example:
<stream:stream from='a.example' to='b.example'> <stream:stream from='a.example' to='b.example'>
4. Server 2 sends a response stream header to Server 1, asserting 4. Server 2 sends a response stream header to Server 1, asserting
that it is b.example: that it is b.example:
<stream:stream from='b.example' to='a.example'> <stream:stream from='b.example' to='a.example'>
5. The servers attempt TLS negotiation, during which Server 2 5. The servers attempt TLS negotiation, during which Server 2
(acting as a TLS server) presents a PKIX certificate proving that (acting as a TLS server) presents a PKIX certificate proving that
it is b.example and Server 1 (acting as a TLS client) presents a it is b.example and Server 1 (acting as a TLS client) presents a
PKIX certificate proving that it is a.example. PKIX certificate proving that it is a.example.
6. Server 1 checks the PKIX certificate that Server 2 provided and 6. Server 1 checks the PKIX certificate that Server 2 provided, and
Server 2 checks the PKIX certificate that Server 1 provided; if Server 2 checks the PKIX certificate that Server 1 provided; if
these proofs are consistent with the XMPP profile of the matching these proofs are consistent with the XMPP profile of the matching
rules from [RFC6125] and are otherwise valid according to rules from [RFC6125] and are otherwise valid according to
[RFC5280], each server accepts that there is a strong domain name [RFC5280], each server accepts that there is a strong domain name
association between its stream to the other party and the DNS association between its stream to the other party and the DNS
domain name of the other party (i.e., mutual authentication is domain name of the other party (i.e., mutual authentication is
achieved). achieved).
Several simplifying assumptions underlie the happy scenario just Several simplifying assumptions underlie the "happy path" scenario
outlined: just outlined:
o The PKIX certificate presented by Server 2 during TLS negotiation o The PKIX certificate presented by Server 2 during TLS negotiation
is acceptable to Server 1 and matches the expected identity. is acceptable to Server 1 and matches the expected identity.
o The PKIX certificate presented by Server 1 during TLS negotiation o The PKIX certificate presented by Server 1 during TLS negotiation
is acceptable to Server 2, which enables the parties to complete is acceptable to Server 2; this enables the parties to complete
mutual authentication. mutual authentication.
o There are no additional domains associated with Server 1 and o There are no additional domains associated with Server 1 and
Server 2 (say, a subdomain rooms.a.example on Server 1 or a second Server 2 (say, a sub-domain rooms.a.example on Server 1 or a
domain c.example on Server 2). second domain c.example on Server 2).
o The server administrators are able to obtain PKIX certificates o The server administrators are able to obtain PKIX certificates
issued by a widely-accepted certification authority (CA) in the issued by a widely accepted Certification Authority (CA) in the
first place. first place.
o The server administrators are running their own XMPP servers, o The server administrators are running their own XMPP servers,
rather than using hosting services. rather than using hosting services.
Let's consider each of these "wrinkles" in turn. Let's consider each of these "wrinkles" in turn.
4.3. No Mutual PKIX Authentication 4.3. No Mutual PKIX Authentication
If the PKIX certificate presented by Server 1 during TLS negotiation If the PKIX certificate presented by Server 1 during TLS negotiation
is not acceptable to Server 2, Server 2 is unable to mutually is not acceptable to Server 2, Server 2 is unable to mutually
authenticate Server 1. Therefore, Server 2 needs to verify the authenticate Server 1. Therefore, Server 2 needs to verify the
asserted identity of Server 1 by other means. asserted identity of Server 1 by other means.
1. Server 1 asserts it is a.example using the Server Dialback 1. Server 1 asserts that it is a.example using the Server Dialback
protocol: protocol:
<db:result from='a.example' to='b.example' id='...'>some- <db:result from='a.example' to='b.example'>
dialback-key</db:result> some-dialback-key</db:result>
2. Server 2 resolves via DNS the service _xmpp- 2. Server 2 resolves via DNS the service
server._tcp.a.example. _xmpp-server._tcp.a.example.
3. Server 2 opens a TCP connection to the resolved IP address. 3. Server 2 opens a TCP connection to the resolved IP address.
4. Server 2 sends an initial stream header to Server 1, asserting 4. Server 2 sends an initial stream header to Server 1, asserting
that it is b.example: that it is b.example:
<stream:stream from='b.example' to='a.example'> <stream:stream from='b.example' to='a.example'>
5. Server 1 sends a response stream header to Server 2, asserting 5. Server 1 sends a response stream header to Server 2, asserting
that it is a.example: that it is a.example:
skipping to change at page 11, line 38 skipping to change at page 13, line 6
7. Server 2 checks the PKIX certificate that Server 1 provided (this 7. Server 2 checks the PKIX certificate that Server 1 provided (this
might be the same certificate presented by Server 1 as a client might be the same certificate presented by Server 1 as a client
certificate in the initial connection). However, Server 2 does certificate in the initial connection). However, Server 2 does
not accept this certificate as proving that Server 1 is not accept this certificate as proving that Server 1 is
authorized as a.example and therefore uses another method (here, authorized as a.example and therefore uses another method (here,
the Server Dialback protocol) to establish the domain name the Server Dialback protocol) to establish the domain name
association. association.
8. Server 2 proceeds with Server Dialback in order to establish the 8. Server 2 proceeds with Server Dialback in order to establish the
domain name association. In order to do this it sends a request domain name association. In order to do this, it sends a request
for verification as described in [XEP-0220]: for verification as described in [XEP-0220]:
<db:verify from='b.example' to='a.example' id='...'>some- <db:verify from='b.example' to='a.example'
dialback-key</db:verify> id='...'>some-dialback-key</db:verify>
9. Server 1 responds to this: 9. Server 1 responds to this:
<db:verify from='a.example' to='b.example' id='...' type='valid/> <db:verify from='a.example' to='b.example' id='...' type='valid/>
allowing Server 2 to establish the domain name association. allowing Server 2 to establish the domain name association.
In some situations (e.g., if the Authoritative Server in Server In some situations (e.g., if the Authoritative Server in Server
Dialback presents the same certificate as the Originating Server), it Dialback presents the same certificate as the Originating Server), it
is the practice of some XMPP server implementations to skip steps 8 is the practice of some XMPP server implementations to skip steps 8
and 9. These situations are discussed in "Impact of TLS and DNSSEC and 9. These situations are discussed in "Impact of TLS and DNSSEC
on Dialback" [XEP-0344]. on Dialback" [XEP-0344].
4.4. Piggybacking 4.4. Piggybacking
4.4.1. Assertion 4.4.1. Assertion
Consider the common scenario in which Server 2 hosts not only Consider the common scenario in which Server 2 hosts not only
b.example but also a second domain c.example (often called a "multi- b.example but also a second domain c.example (often called a
tenanted" environment). If a user of Server 2 associated with "multi-tenanted" environment). If a user of Server 2 associated with
c.example wishes to communicate with a friend at a.example, Server 2 c.example wishes to communicate with a friend at a.example, Server 2
needs to send XMPP stanzas from the domain c.example rather than needs to send XMPP stanzas from the domain c.example rather than
b.example. Although Server 2 could open a new TCP connection and b.example. Although Server 2 could open a new TCP connection and
negotiate new XML streams for the domain pair of c.example and negotiate new XML streams for the domain pair of c.example and
a.example, that is wasteful (especially if Server 2 hosts a large a.example, that is wasteful (especially if Server 2 hosts a large
number of domains). Server 2 already has a connection to a.example, number of domains). Server 2 already has a connection to a.example,
so how can it assert that it would like to add a new domain pair to so how can it assert that it would like to add a new domain pair to
the existing connection? the existing connection?
The traditional method for doing so is the Server Dialback protocol The traditional method for doing so is the Server Dialback protocol
[XEP-0220]. Here, Server 2 can send a <db:result/> element for the [XEP-0220]. Here, Server 2 can send a <db:result/> element for the
new domain pair over the existing stream. new domain pair over the existing stream.
<db:result from='c.example' to='a.example'> <db:result from='c.example' to='a.example'>
some-dialback-key some-dialback-key
</db:result> </db:result>
This element functions as Server 2's assertion that it is (also) This <db:result/> element functions as Server 2's assertion that it
c.example, and thus is functionally equivalent to the 'from' address is (also) c.example (thus, the element is functionally equivalent to
of an initial stream header as previously described. the 'from' address of an initial stream header as previously
described).
In response to this assertion, Server 1 needs to obtain some kind of In response to this assertion, Server 1 needs to obtain some kind of
proof that Server 2 really is also c.example. If the certificate proof that Server 2 really is also c.example. If the certificate
presented by Server 2 is also valid for c.example then no further presented by Server 2 is also valid for c.example, then no further
action is necessary. However, if not then Server 1 needs to do a bit action is necessary. However, if not, then Server 1 needs to do a
more work. Specifically, Server 1 can pursue the same strategy it bit more work. Specifically, Server 1 can pursue the same strategy
used before: it used before:
1. Server 1 resolves via DNS the service _xmpp- 1. Server 1 resolves via DNS the service
server._tcp.c.example. _xmpp-server._tcp.c.example.
2. Server 1 opens a TCP connection to the resolved IP address (which 2. Server 1 opens a TCP connection to the resolved IP address (which
might be the same IP address as for b.example). might be the same IP address as for b.example).
3. Server 1 sends an initial stream header to Server 2, asserting 3. Server 1 sends an initial stream header to Server 2, asserting
that it is a.example: that it is a.example:
<stream:stream from='a.example' to='c.example'> <stream:stream from='a.example' to='c.example'>
4. Server 2 sends a response stream header to Server 1, asserting 4. Server 2 sends a response stream header to Server 1, asserting
skipping to change at page 13, line 18 skipping to change at page 14, line 36
<stream:stream from='c.example' to='a.example'> <stream:stream from='c.example' to='a.example'>
5. The servers attempt TLS negotiation, during which Server 2 5. The servers attempt TLS negotiation, during which Server 2
(acting as a TLS server) presents a PKIX certificate proving that (acting as a TLS server) presents a PKIX certificate proving that
it is c.example. it is c.example.
6. At this point, Server 1 needs to establish that, despite 6. At this point, Server 1 needs to establish that, despite
different certificates, c.example is associated with the origin different certificates, c.example is associated with the origin
of the request. This is done using Server Dialback [XEP-0220]: of the request. This is done using Server Dialback [XEP-0220]:
<db:verify from='a.example' to='c.example' id='...'>some- <db:verify from='a.example' to='c.example'
dialback-key</db:verify> id='...'>some-dialback-key</db:verify>
7. Server 2 responds to this: 7. Server 2 responds to this:
<db:verify from='c.example' to='a.example' id='...' type='valid/> <db:verify from='c.example' to='a.example' id='...' type='valid/>
allowing Server 1 to establish the domain name association. allowing Server 1 to establish the domain name association.
Now that Server 1 accepts the domain name association, it informs Now that Server 1 accepts the domain name association, it informs
Server 2 of that fact: Server 2 of that fact:
<db:result from='a.example' to='c.example' type='valid'/> <db:result from='a.example' to='c.example' type='valid'/>
The parties can then terminate the second connection, since it was The parties can then terminate the second connection, because it was
used only for Server 1 to associate a stream with the domain name used only for Server 1 to associate a stream with the domain name
c.example (the dialback key links the original stream to the new c.example (the dialback key links the original stream to the new
association). association).
4.4.2. Supposition 4.4.2. Supposition
Piggybacking can also occur in the other direction. Consider the Piggybacking can also occur in the other direction. Consider the
common scenario in which Server 1 provides XMPP services not only for common scenario in which Server 1 provides XMPP services not only for
a.example but also for a subdomain such as a Multi-User Chat a.example but also for a sub-domain such as a Multi-User Chat
[XEP-0045] service at rooms.a.example. If a user from c.example at [XEP-0045] service at rooms.a.example. If a user from c.example at
Server 2 wishes to join a room on the groupchat sevice, Server 2 Server 2 wishes to join a room on the groupchat service, Server 2
needs to send XMPP stanzas from the domain c.example to the domain needs to send XMPP stanzas from the domain c.example to the domain
rooms.a.example rather than a.example. rooms.a.example rather than a.example.
First, Server 2 needs to determine whether it can piggyback the First, Server 2 needs to determine whether it can piggyback the
domain rooms.a.example on the connection to a.example: domain rooms.a.example on the connection to a.example:
1. Server 2 resolves vua DNS the service _xmpp- 1. Server 2 resolves via DNS the service
server._tcp.rooms.a.example. _xmpp-server._tcp.rooms.a.example.
2. Server 2 determines this resolves to an IP address and port that 2. Server 2 determines that this resolves to an IP address and port
it is already connected to. to which it is already connected.
3. Server 2 determines that the PKIX certificate for that active 3. Server 2 determines that the PKIX certificate for that active
connection would also be valid for the rooms.a.example domain and connection would also be valid for the rooms.a.example domain and
that Server 1 has announced support for dialback errors. that Server 1 has announced support for dialback errors.
Server 2 sends a dialback key to Server 1 over the existing Server 2 sends a dialback key to Server 1 over the existing
connection. connection:
<db:result from='c.example' to='rooms.a.example'> <db:result from='c.example' to='rooms.a.example'>
some-dialback-key some-dialback-key
</db:result> </db:result>
Server 1 then informs Server 2 that it accepts the domain name Server 1 then informs Server 2 that it accepts the domain name
association: association:
<db:result from='rooms.a.example' to='c.example' type='valid'/> <db:result from='rooms.a.example' to='c.example' type='valid'/>
5. Alternative Prooftypes 5. Alternative Prooftypes
The foregoing protocol flows assumed that domain name associations The foregoing protocol flows assumed that domain name associations
were proved using the PKIX prooftype. However, sometimes XMPP server were proved using the PKIX prooftype. However, sometimes XMPP server
administrators are unable or unwilling to obtain valid PKIX administrators are unable or unwilling to obtain valid PKIX
certificates for all of the domains they host at their servers. For certificates for all of the domains they host at their servers.
example: For example:
o In order to issue a PKIX certificate, a CA might try to send email o In order to issue a PKIX certificate, a CA might try to send email
messages to authoritative mailbox names [RFC2142], but the messages to authoritative mailbox names [RFC2142], but the
administrator of a subsidiary service such as im.cs.podunk.example administrator of a subsidiary service such as im.cs.podunk.example
cannot receive email sent to mailto:hostmaster@podunk.example. cannot receive email sent to hostmaster@podunk.example.
o A hosting provider such as hosting.example.net might not want to o A hosting provider such as hosting.example.net might not want to
take on the liability of holding the certificate and private key take on the liability of holding the certificate and private key
for a tenant such as example.com (or the tenant might not want the for a tenant such as example.com (or the tenant might not want the
hosting provider to hold its certificate and private key). hosting provider to hold its certificate and private key).
o Even if PKIX certificates for each tenant can be obtained, the o Even if PKIX certificates for each tenant can be obtained, the
management of so many certificates can introduce a large management of so many certificates can introduce a large
administrative load. administrative load.
(Additional discussion can be found in [I-D.ietf-xmpp-posh].) (Additional discussion can be found in [RFC7711].)
In these circumstances, prooftypes other than PKIX are desirable or In these circumstances, prooftypes other than PKIX are desirable or
necessary. As described below, two alternatives have been defined so necessary. As described below, two alternatives have been defined so
far: DNS-Based Authentication of Named Entities (DANE) and PKIX Over far: DNS-Based Authentication of Named Entities (DANE) and PKIX over
Secure HTTP (POSH). Secure HTTP (POSH).
5.1. DANE 5.1. DANE
The DANE prooftype is defined as follows: The DANE prooftype is defined as follows:
1. The server's proof consists of either a service certificate or 1. The server's proof consists of either a service certificate or
domain-issued certificate (TLSA usage PKIX-EE or DANE-EE, see domain-issued certificate (TLSA usage PKIX-EE or DANE-EE; see
[RFC6698] and [RFC7218]). [RFC6698] and [RFC7218]).
2. The proof is checked by verifying an exact match or a hash of 2. The proof is checked by verifying an exact match or a hash of
either the SubjectPublicKeyInfo or the full certificate. either the SubjectPublicKeyInfo or the full certificate.
3. The client's verification material is obtained via secure DNS 3. The client's verification material is obtained via secure DNS
[RFC4033] as described in [I-D.ietf-dane-srv]. [RFC4033] as described in [RFC7673].
4. Secure DNS is necessary in order to effectively establish an 4. Secure DNS is necessary in order to effectively establish an
alternative chain of trust from the service certificate or alternative chain of trust from the service certificate or
domain-issued certificate to the DNS root. domain-issued certificate to the DNS root.
The DANE prooftype makes use of DNS-Based Authentication of Named The DANE prooftype makes use of DNS-Based Authentication of Named
Entities [RFC6698], specifically the use of DANE with DNS SRV records Entities [RFC6698], specifically the use of DANE with DNS SRV records
[I-D.ietf-dane-srv]. For XMPP purposes, the following rules apply: [RFC7673]. For XMPP purposes, the following rules apply:
o If there is no SRV resource record, pursue the fallback methods o If there is no SRV resource record, pursue the fallback methods
described in [RFC6120]. described in [RFC6120].
o Use the 'to' address of the initial stream header to determine the o Use the 'to' address of the initial stream header to determine the
domain name of the TLS client's reference identifier (since use of domain name of the TLS client's reference identifier (because the
the Server Name Indication extension (TLS SNI) [RFC6066] is purely use of the Server Name Indication extension (TLS SNI) [RFC6066] is
discretionary in XMPP, as mentioned in [RFC6120]). purely discretionary in XMPP, as mentioned in [RFC6120]).
5.2. POSH 5.2. POSH
The POSH prooftype is defined as follows: The POSH prooftype is defined as follows:
1. The server's proof consists of a PKIX certificate. 1. The server's proof consists of a PKIX certificate.
2. The proof is checked according to the rules from [RFC6120] and 2. The proof is checked according to the rules from [RFC6120] and
[RFC6125]. [RFC6125].
3. The client's verification material is obtained by retrieving a 3. The client's verification material is obtained by retrieving a
hash of the PKIX certificate over HTTPS at a well-known URI hash of the PKIX certificate over HTTPS at a well-known URI
[RFC5785]. [RFC5785].
4. Secure DNS is not necessary since the HTTPS retrieval mechanism 4. Secure DNS is not necessary, because the HTTPS retrieval
relies on the chain of trust from the public key infrastructure. mechanism relies on the chain of trust from the public key
infrastructure.
POSH is defined in [I-D.ietf-xmpp-posh]. For XMPP purposes, the POSH is defined in [RFC7711]. For XMPP purposes, the following rules
following rules apply: apply:
o If no verification material is found via POSH, pursue the fallback o If no verification material is found via POSH, pursue the fallback
methods described in [RFC6120]. methods described in [RFC6120].
o Use the 'to' address of the initial stream header to determine the o Use the 'to' address of the initial stream header to determine the
domain name of the TLS client's reference identifier (since use of domain name of the TLS client's reference identifier (because the
the Server Name Indication extension (TLS SNI) [RFC6066] is purely use of TLS SNI [RFC6066] is purely discretionary in XMPP, as
discretionary in XMPP, as mentioned in [RFC6120]). mentioned in [RFC6120]).
The well-known URIs [RFC5785] to be used for POSH are: The well-known URIs [RFC5785] to be used for POSH are:
o "/.well-known/posh/xmpp-client.json" for client-to-server o "/.well-known/posh/xmpp-client.json" for client-to-server
connections connections
o "/.well-known/posh/xmpp-server.json" for server-to-server o "/.well-known/posh/xmpp-server.json" for server-to-server
connections connections
6. Secure Delegation and Multi-Tenancy 6. Secure Delegation and Multi-Tenancy
One common method for deploying XMPP services is multi-tenancy: e.g., One common method for deploying XMPP services is multi-tenancy: e.g.,
XMPP services for the service domain example.com are actually hosted XMPP services for the service domain name example.com are actually
at the target server hosting.example.net. Such an arrangement is hosted at the target server hosting.example.net. Such an arrangement
relatively convenient in XMPP given the use of DNS SRV records is relatively convenient in XMPP given the use of DNS SRV records
[RFC2782], such as the following delegation from example.com to [RFC2782], such as the following delegation from example.com to
hosting.example.net: hosting.example.net:
_xmpp-server._tcp.example.com. 0 IN SRV 0 0 5269 hosting.example.net _xmpp-server._tcp.example.com. 0 IN SRV 0 0 5269 hosting.example.net
Secure connections with multi-tenancy can work using the PKIX Secure connections with multi-tenancy can work using the PKIX
prooftype on a small scale if the provider itself wishes to host prooftype on a small scale if the provider itself wishes to host
several domains (e.g., related domains such as jabber-de.example and several domains (e.g., related domains such as jabber-de.example and
jabber-ch.example). However, in practice the security of multi- jabber-ch.example). However, in practice the security of
tenancy has been found to be unwieldy when the provider hosts large multi-tenancy has been found to be unwieldy when the provider hosts
numbers of XMPP services on behalf of multiple tenants (see large numbers of XMPP services on behalf of multiple tenants (see
[I-D.ietf-xmpp-posh] for a detailed description). As a result, [RFC7711] for a detailed description). There are two possible
server-to-server communications to example.com go unencrypted or the results: either (1) server-to-server communications to example.com
communications are TLS-encrypted but the certificates are not checked are unencrypted or (2) the communications are TLS-encrypted but the
(which is functionally equivalent to a connection using an anonymous certificates are not checked (which is functionally equivalent to a
key exchange). This is also true of client-to-server communications, connection using an anonymous key exchange). This is also true of
forcing end users to override certificate warnings or configure their client-to-server communications, forcing end users to override
clients to accept or "pin" certificates for hosting.example.net certificate warnings or configure their clients to accept or "pin"
instead of example.com. The fundamental problem here is that if certificates for hosting.example.net instead of example.com. The
DNSSEC is not used then the act of delegation via DNS SRV records is fundamental problem here is that if DNSSEC is not used, then the act
inherently insecure. of delegation via DNS SRV records is inherently insecure.
The specification for use of SRV records with DANE
[I-D.ietf-dane-srv] explains how to use DNSSEC for secure delegation
with the DANE prooftype, and the POSH specification
[I-D.ietf-xmpp-posh] explains how to use HTTPS redirects for secure The specification for the use of SRV records with DANE [RFC7673]
delegation with the POSH prooftype. explains how to use DNSSEC for secure delegation with the DANE
prooftype, and the POSH specification [RFC7711] explains how to use
HTTPS redirects for secure delegation with the POSH prooftype.
7. Prooftype Model 7. Prooftype Model
In general, a domain name association (DNA) prooftype conforms to the In general, a Domain Name Association (DNA) prooftype conforms to the
following definition: following definition:
prooftype: A mechanism for proving an association between a domain prooftype: A mechanism for proving an association between a domain
name and an XML stream, where the mechanism defines (1) the nature name and an XML stream, where the mechanism defines (1) the nature
of the server's proof, (2) the matching rules for comparing the of the server's proof, (2) the matching rules for comparing the
client's verification material against the server's proof, (3) how client's verification material against the server's proof, (3) how
the client obtains its verification material, and (4) whether the the client obtains its verification material, and (4) whether or
mechanism depends on secure DNS. not the mechanism depends on secure DNS.
The PKIX, DANE, and POSH prooftypes adhere to this model. (Some The PKIX, DANE, and POSH prooftypes adhere to this model. (Some
prooftypes depend on, or are enhanced by, secure DNS [RFC4033] and prooftypes depend on, or are enhanced by, secure DNS [RFC4033] and
thus also need to describe how they ensure secure delegation.) thus also need to describe how they ensure secure delegation.)
Other prooftypes are possible; examples might include TLS with Pretty
Other prooftypes are possible; examples might include TLS with PGP Good Privacy (PGP) keys [RFC6091], a token mechanism such as Kerberos
keys [RFC6091], a token mechanism such as Kerberos [RFC4120] or OAuth [RFC4120] or OAuth [RFC6749], and Server Dialback keys [XEP-0220].
[RFC6749], and Server Dialback keys [XEP-0220].
Although the PKIX prooftype reuses the syntax of the XMPP Server Although the PKIX prooftype reuses the syntax of the XMPP Server
Dialback protocol [XEP-0220] for signaling between servers, this Dialback protocol [XEP-0220] for signaling between servers, this
framework document does not define how the generation and validation framework document does not define how the generation and validation
of Server Dialback keys (also specified in [XEP-0220]) is a DNA of Server Dialback keys (also specified in [XEP-0220]) constitute a
prooftype. However, nothing in this document prevents the continued DNA prooftype. However, nothing in this document prevents the
use of Server Dialback for signaling, and a future specification (or continued use of Server Dialback for signaling, and a future
an updated version of [XEP-0220]) might define a DNA prooftype for specification (or an updated version of [XEP-0220]) might define a
Server Dialback keys in a way that is consistent with this framework. DNA prooftype for Server Dialback keys in a way that is consistent
with this framework.
8. Guidance for Server Operators 8. Guidance for Server Operators
This document introduces the concept of a prooftype in order to This document introduces the concept of a prooftype in order to
explain and generalize the approach to establishing a strong explain and generalize the approach to establishing a strong
association between the DNS domain name of an XMPP service and the association between the DNS domain name of an XMPP service and the
XML stream that a client or peer server initiates with that service. XML stream that a client or peer server initiates with that service.
The operations and management implications of DNA prooftypes will The operations and management implications of DNA prooftypes will
depend on the particular prooftypes that an operator supports. For depend on the particular prooftypes that an operator supports.
example: For example:
o To support the PKIX prooftype [RFC6120], an operator needs to o To support the PKIX prooftype [RFC6120], an operator needs to
obtain certificates for the XMPP server from a certification obtain certificates for the XMPP server from a Certification
authority (CA). However, DNS security is not required. Authority (CA). However, DNS Security is not required.
o To support the DANE prooftype [I-D.ietf-dane-srv], an operator can o To support the DANE prooftype [RFC7673], an operator can generate
generate its own certificates for the XMPP server or obtain them its own certificates for the XMPP server or obtain them from a CA.
from a CA. In addition, DNS security is required. In addition, DNS Security is required.
o To support the POSH prooftype [I-D.ietf-xmpp-posh], an operator o To support the POSH prooftype [RFC7711], an operator can generate
can generate its own certificates for the XMPP server or obtain its own certificates for the XMPP server or obtain them from a CA,
them from a CA, but in addition needs to deploy the web server for but in addition needs to deploy the web server for POSH files with
POSH files with certificates obtained from a CA. However, DNS certificates obtained from a CA. However, DNS Security is not
security is not required. required.
Considerations for use of the foregoing prooftypes are explained in Considerations for the use of the foregoing prooftypes are explained
the relevant specifications. See in particular Section 13.7 of in the relevant specifications. See in particular Section 13.7 of
[RFC6120], Section 6 of [I-D.ietf-dane-srv], and Section 8 of [RFC6120], Section 6 of [RFC7673], and Section 7 of [RFC7711].
[I-D.ietf-xmpp-posh].
Naturally, these operations and management considerations are Naturally, these operations and management considerations are
additive: if an operator wishes to use multiple prooftypes, the additive: if an operator wishes to use multiple prooftypes, the
complexity of deployment increases (e.g., the operator might want to complexity of deployment increases (e.g., the operator might want to
obtain a PKIX certificate from a certification authority for use in obtain a PKIX certificate from a CA for use in the PKIX prooftype and
the PKIX prooftype and generate its own certificate for use in the generate its own certificate for use in the DANE prooftype). This is
DANE prooftype). This is an unavoidable aspect of supporting as many an unavoidable aspect of supporting as many prooftypes as needed in
prooftypes as needed in order to ensure that domain name associations order to ensure that domain name associations can be established in
can be established in the largest possible percentage of cases. the largest possible percentage of cases.
9. IANA Considerations 9. IANA Considerations
The POSH specification [I-D.ietf-xmpp-posh] establishes a registry The POSH specification [RFC7711] establishes the "POSH Service Names"
for POSH service names to be used in well-known URIs [RFC5785]. This registry for use in well-known URIs [RFC5785]. This specification
specification registers two such URIs for use in XMPP: "xmpp-client" registers two such service names for use in XMPP: "xmpp-client" and
and "xmpp-server". The completed registration templates follow. "xmpp-server". The completed registration templates follow.
9.1. POSH Service Name for xmpp-client Service 9.1. POSH Service Name for xmpp-client Service
Service name: xmpp-client Service name: xmpp-client
Change controller: IETF Change controller: IETF
Definition and usage: Specifies the location of a POSH file Definition and usage: Specifies the location of a POSH file
containing verification material or a reference thereto that enables containing verification material or a reference thereto that
a client to verify the identity of a server for a client-to-server enables a client to verify the identity of a server for a
stream in XMPP client-to-server stream in XMPP
Specification: [[ this document ]] Specification: RFC 7712 (this document)
9.2. POSH Service Name for xmpp-server Service 9.2. POSH Service Name for xmpp-server Service
Service name: xmpp-server Service name: xmpp-server
Change controller: IETF Change controller: IETF
Definition and usage: Specifies the location of a POSH file Definition and usage: Specifies the location of a POSH file
containing verification material or a reference thereto that enables containing verification material or a reference thereto that
a server to verify the identity of a peer server for a server-to- enables a server to verify the identity of a peer server for a
server stream in XMPP server-to-server stream in XMPP
Specification: [[ this document ]] Specification: RFC 7712 (this document)
10. Security Considerations 10. Security Considerations
With regard to the PKIX prooftype, this document supplements but does With regard to the PKIX prooftype, this document supplements but does
not supersede the security considerations of [RFC6120] and [RFC6125]. not supersede the security considerations of [RFC6120] and [RFC6125].
With regard to the DANE and PKIX prooftypes, the reader is referred With regard to the DANE and POSH prooftypes, the reader is referred
to [I-D.ietf-dane-srv] and [I-D.ietf-xmpp-posh], respectively. to [RFC7673] and [RFC7711], respectively.
Any future prooftypes need to thoroughly describe how they conform to Any future prooftypes need to thoroughly describe how they conform to
the prooftype model specified in Section 7 of this document. the prooftype model specified in Section 7 of this document.
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-dane-srv] [RFC1034] Mockapetris, P., "Domain names - concepts and
Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034,
Based Authentication of Named Entities (DANE) TLSA Records November 1987, <http://www.rfc-editor.org/info/rfc1034>.
with SRV Records", draft-ietf-dane-srv-14 (work in
progress), April 2015.
[I-D.ietf-xmpp-posh] [RFC1035] Mockapetris, P., "Domain names - implementation and
Miller, M. and P. Saint-Andre, "PKIX over Secure HTTP specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
(POSH)", draft-ietf-xmpp-posh-04 (work in progress), November 1987, <http://www.rfc-editor.org/info/rfc1035>.
February 2015.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, specifying the location of services (DNS SRV)", RFC 2782,
<http://www.rfc-editor.org/info/rfc1034>. DOI 10.17487/RFC2782, February 2000,
<http://www.rfc-editor.org/info/rfc2782>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, Rose, "DNS Security Introduction and Requirements",
November 1987, <http://www.rfc-editor.org/info/rfc1035>. RFC 4033, DOI 10.17487/RFC4033, March 2005,
<http://www.rfc-editor.org/info/rfc4033>.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC4422] Melnikov, A., Ed., and K. Zeilenga, Ed., "Simple
specifying the location of services (DNS SRV)", RFC 2782, Authentication and Security Layer (SASL)", RFC 4422,
DOI 10.17487/RFC2782, February 2000, DOI 10.17487/RFC4422, June 2006,
<http://www.rfc-editor.org/info/rfc2782>. <http://www.rfc-editor.org/info/rfc4422>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
Rose, "DNS Security Introduction and Requirements", RFC FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
4033, DOI 10.17487/RFC4033, March 2005, <http://www.rfc-editor.org/info/rfc4949>.
<http://www.rfc-editor.org/info/rfc4033>.
[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Authentication and Security Layer (SASL)", RFC 4422, DOI Housley, R., and W. Polk, "Internet X.509 Public Key
10.17487/RFC4422, June 2006, Infrastructure Certificate and Certificate Revocation
<http://www.rfc-editor.org/info/rfc4422>. List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280,
May 2008, <http://www.rfc-editor.org/info/rfc5280>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI [RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
36, RFC 4949, DOI 10.17487/RFC4949, August 2007, Uniform Resource Identifiers (URIs)", RFC 5785,
<http://www.rfc-editor.org/info/rfc4949>. DOI 10.17487/RFC5785, April 2010,
<http://www.rfc-editor.org/info/rfc5785>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Housley, R., and W. Polk, "Internet X.509 Public Key Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120,
Infrastructure Certificate and Certificate Revocation List March 2011, <http://www.rfc-editor.org/info/rfc6120>.
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
[RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Uniform Resource Identifiers (URIs)", RFC 5785, DOI Verification of Domain-Based Application Service Identity
10.17487/RFC5785, April 2010, within Internet Public Key Infrastructure Using X.509
<http://www.rfc-editor.org/info/rfc5785>. (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125,
March 2011, <http://www.rfc-editor.org/info/rfc6125>.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based
Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120, Authentication of Named Entities (DANE) Transport Layer
March 2011, <http://www.rfc-editor.org/info/rfc6120>. Security (TLS) Protocol: TLSA", RFC 6698,
DOI 10.17487/RFC6698, August 2012,
<http://www.rfc-editor.org/info/rfc6698>.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify
Verification of Domain-Based Application Service Identity Conversations about DNS-Based Authentication of Named
within Internet Public Key Infrastructure Using X.509 Entities (DANE)", RFC 7218, DOI 10.17487/RFC7218,
(PKIX) Certificates in the Context of Transport Layer April 2014, <http://www.rfc-editor.org/info/rfc7218>.
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
2011, <http://www.rfc-editor.org/info/rfc6125>.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication [RFC7673] Finch, T., Miller, M., and P. Saint-Andre, "Using
of Named Entities (DANE) Transport Layer Security (TLS) DNS-Based Authentication of Named Entities (DANE) TLSA
Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August Records with SRV Records", RFC 7673,
2012, <http://www.rfc-editor.org/info/rfc6698>. DOI 10.17487/RFC7673, October 2015,
<http://www.rfc-editor.org/info/rfc7673>.
[RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify [RFC7711] Miller, M. and P. Saint-Andre, "PKIX over Secure HTTP
Conversations about DNS-Based Authentication of Named (POSH)", RFC 7711, DOI 10.17487/RFC7711, November 2015,
Entities (DANE)", RFC 7218, DOI 10.17487/RFC7218, April <http://www.rfc-editor.org/info/rfc7711>.
2014, <http://www.rfc-editor.org/info/rfc7218>.
[XEP-0220] [XEP-0220] Miller, J., Saint-Andre, P., and P. Hancke, "Server
Miller, J., Saint-Andre, P., and P. Hancke, "Server Dialback", XSF XEP 0220, August 2014,
Dialback", XSF XEP 0220, August 2014. <http://xmpp.org/extensions/xep-0220.html>.
11.2. Informative References 11.2. Informative References
[RFC2142] Crocker, D., "Mailbox Names for Common Services, Roles and [RFC2142] Crocker, D., "Mailbox Names for Common Services, Roles
Functions", RFC 2142, DOI 10.17487/RFC2142, May 1997, and Functions", RFC 2142, DOI 10.17487/RFC2142, May 1997,
<http://www.rfc-editor.org/info/rfc2142>. <http://www.rfc-editor.org/info/rfc2142>.
[RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 3920, DOI 10.17487/RFC3920, Protocol (XMPP): Core", RFC 3920, DOI 10.17487/RFC3920,
October 2004, <http://www.rfc-editor.org/info/rfc3920>. October 2004, <http://www.rfc-editor.org/info/rfc3920>.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120, Kerberos Network Authentication Service (V5)", RFC 4120,
DOI 10.17487/RFC4120, July 2005, DOI 10.17487/RFC4120, July 2005,
<http://www.rfc-editor.org/info/rfc4120>. <http://www.rfc-editor.org/info/rfc4120>.
[RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
Extensions: Extension Definitions", RFC 6066, DOI Extensions: Extension Definitions", RFC 6066,
10.17487/RFC6066, January 2011, DOI 10.17487/RFC6066, January 2011,
<http://www.rfc-editor.org/info/rfc6066>. <http://www.rfc-editor.org/info/rfc6066>.
[RFC6091] Mavrogiannopoulos, N. and D. Gillmor, "Using OpenPGP Keys [RFC6091] Mavrogiannopoulos, N. and D. Gillmor, "Using OpenPGP Keys
for Transport Layer Security (TLS) Authentication", RFC for Transport Layer Security (TLS) Authentication",
6091, DOI 10.17487/RFC6091, February 2011, RFC 6091, DOI 10.17487/RFC6091, February 2011,
<http://www.rfc-editor.org/info/rfc6091>. <http://www.rfc-editor.org/info/rfc6091>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012, RFC 6749, DOI 10.17487/RFC6749, October 2012,
<http://www.rfc-editor.org/info/rfc6749>. <http://www.rfc-editor.org/info/rfc6749>.
[RFC7590] Saint-Andre, P. and T. Alkemade, "Use of Transport Layer [RFC7590] Saint-Andre, P. and T. Alkemade, "Use of Transport Layer
Security (TLS) in the Extensible Messaging and Presence Security (TLS) in the Extensible Messaging and Presence
Protocol (XMPP)", RFC 7590, DOI 10.17487/RFC7590, June Protocol (XMPP)", RFC 7590, DOI 10.17487/RFC7590,
2015, <http://www.rfc-editor.org/info/rfc7590>. June 2015, <http://www.rfc-editor.org/info/rfc7590>.
[XEP-0045] [XEP-0045] Saint-Andre, P., "Multi-User Chat", XSF XEP 0045,
Saint-Andre, P., "Multi-User Chat", XSF XEP 0045, February February 2012,
2012. <http://xmpp.org/extensions/xep-0045.html>.
[XEP-0288] [XEP-0288] Hancke, P. and D. Cridland, "Bidirectional
Hancke, P. and D. Cridland, "Bidirectional Server-to- Server-to-Server Connections", XSF XEP 0288,
Server Connections", XSF XEP 0288, September 2013. September 2013,
<http://xmpp.org/extensions/xep-0288.html>.
[XEP-0344] [XEP-0344] Hancke, P. and D. Cridland, "Impact of TLS and DNSSEC on
Hancke, P. and D. Cridland, "Impact of TLS and DNSSEC on Dialback", XSF XEP 0344, March 2015,
Dialback", XSF XEP 0344, March 2015. <http://xmpp.org/extensions/xep-0344.html>.
Appendix A. Acknowledgements Acknowledgements
Richard Barnes, Stephen Farrell, and Jonas Lindberg contributed as Richard Barnes, Stephen Farrell, and Jonas Lindberg contributed as
co-authors to earlier draft versions of this document. co-authors to earlier draft versions of this document.
Derek Atkins, Mahesh Jethanandani, and Dan Romascanu reviewed the Derek Atkins, Mahesh Jethanandani, and Dan Romascanu reviewed the
document on behalf of the Security Directorate, the Operations and document on behalf of the Security Directorate, the Operations and
Management Directorate, and the General Area Review Team, Management Directorate, and the General Area Review Team,
respectively. respectively.
During IESG review, Stephen Farrell and Barry Leiba provided helpful During IESG review, Stephen Farrell and Barry Leiba provided helpful
skipping to change at page 22, line 45 skipping to change at page 24, line 37
Peter Saint-Andre Peter Saint-Andre
&yet &yet
Email: peter@andyet.com Email: peter@andyet.com
URI: https://andyet.com/ URI: https://andyet.com/
Matthew Miller Matthew Miller
Cisco Systems, Inc. Cisco Systems, Inc.
1899 Wynkoop Street, Suite 600 1899 Wynkoop Street, Suite 600
Denver, CO 80202 Denver, CO 80202
USA United States
Email: mamille2@cisco.com Email: mamille2@cisco.com
Philipp Hancke Philipp Hancke
&yet &yet
Email: fippo@andyet.com Email: fippo@andyet.com
URI: https://andyet.com/ URI: https://andyet.com/
 End of changes. 105 change blocks. 
304 lines changed or deleted 302 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/