[jdev] S2S questions - from attribute and version support

Vinod Panicker vinod.p at gmail.com
Sat Dec 31 02:42:08 CST 2005


On 12/31/05, Philipp Hancke <fippo at goodadvice.pages.de> wrote:
> Justin Karneges wrote:
>  > For now, servers implementors seem to be taking matters
>  > into their own hands, and so not only do we have 1.0
>  > without SASL, but we have TLS+dialback.
> What if SASL is implemented but there are no usable methods?
>
> Let us assume we have successfully used starttls.
> The server will only offer SASL PLAIN or DIGEST-MD5 for s2s
> authentication if there is a shared secret between the two parties.
>
> The server will only offer SASL EXTERNAL if the certificate presented
> by the client (server) meets certain criteria (see
> http://mail.jabber.org/pipermail/jdev/2005-November/022309.html).
>
> What if both mechanisms are not usable (and therefore not offered)?
>
> This is why tls+dialback is currently necessary.

The RFC states that SASL must be done after TLS.  Though its not
expressly forbidden, I doubt that TLS+dialback was ever intended in
the first place, since Dialback was written much before there was the
question of TLS.

Regarding the issue of SASL EXTERNAL and support for subjectAltNames,
I dont think it is currently possible to have a valid certificate with
subjectAltName extensions since none of the CA's are supporting it.

I think there should be something done for enabling federation between
servers using DIGEST-MD5 or even PLAIN.  Otherwise, this looks like a
no-go.  Servers will keep relying on dialback.

Regards,
Vinod.



More information about the JDev mailing list