The IESG has approved the following document: - 'PKIX over Secure HTTP (POSH)' (draft-ietf-xmpp-posh-06.txt) as Proposed Standard This document is the product of the Extensible Messaging and Presence Protocol Working Group. The IESG contact persons are Barry Leiba, Ben Campbell and Alissa Cooper. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-xmpp-posh/ Technical Summary This document defines the "PKIX over Secure HTTP (POSH)" prooftype, to be used as part of the XMPP Domain Name Assertion (DNA) framework. From the abstract: "Experience has shown that it is extremely difficult to deploy proper PKIX certificates for TLS in multi-tenanted environments. As a result, domains hosted in such environments often deploy applications using certificates that identify the hosting service, not the hosted domain. Such deployments force end users and peer services to accept a certificate with an improper identifier, resulting in obvious security implications. This document defines two methods that make it easier to deploy certificates for proper server identity checking in non-HTTP application protocols. While these methods developed for use in the Extensible Messaging and Presence Protocol (XMPP) as a Domain Name Association (DNA) prooftype, they might also be usable in other non-HTTP application protocols." The XMPP working group believes that this technology is ready for wider implementation, and would benefit from interoperability testing. Therefore we request the document to be published as a "Proposed Standard". Working Group Summary Was there anything in the WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? Document Quality During discussion in XMPP, it became apparent that POSH might have more general applicability. There was a POSH BoF in the Security area at IETF 87. While there was recognition that POSH could be generally useful, there was no consensus to expand the effort beyond the needs of XMPP. Therefore POSH was adopted as an XMPP work item, with the idea that we would make it as general as we reasonable could without bogging down the work, but that we would not attempt to meet the specific requirements for applications other than XMPP. The chairs believe POSH has reached a broad consensus in XMPP. There has been considerable review in XMPP, and in the Security area due to the BoF. POSH does not need targeted reviews beyond the usual Gen-ART, SecDir, etc reviews. Reviews have concentrated primarily on clarifying the specification rather than altering how it works. Some members of the working group (including an author) have expressed the opinion that this is a stopgap technology rather than a long-term plan. At the time of this writing, the shepherd is aware of two experimental implementations which have not been deployed - however various implementors of XMPP have expressed some interest, and some are in progress. Personnel The document shepherd is Dave Cridland. The responsible Area Director is Ben Campbell.
