1667   E2E security with clear transfer

Created: 13 Sep 2019

Status: Triage

Part: Part 8-2 (2018)

Links:

Page: 252

Clause: Annex A.2.2.2

Paragraph:

Issue

In Annex A table A.1 it is indicated that use of E2E security is mandatory. In this case we have two options to choose: clear transfer (not encrypted, but signed PDU) or encrypted transfer (PDU is encrypted and signed). In case of clear transfer, implementation of checking of signature of PDU is not possible since XMPP server(s) used for transferring message over the network can (and in most of the cases do) change layout of XML text of PDU. For example can change order of attributes or exchange double to single quotes in values of attributes.

Proposal

To make clear transfer work it should be either:
- add constraints to XMPP servers to not change a single byte in PDU part
or
- encode PDU using Base64 and place as content of application data element as it is done in case of encrypted PDU