[Security] S2S Leap of faith w/ SASL EXTERNAL

Kim Alvefur zash at zash.se
Wed Nov 17 18:51:26 CST 2010


A thought:

Imagine a server with a self signed certificate. When your server
connects to it, it of course would't trust the cert enough to do SASL
EXTERNAL, so it falls back to dialback. If dialback is successfully done
a few times, while the server presents the same cert, automatically pin
it and allow SASL EXTERNAL the next time. 

Why:

* Encourage more widespread deployment, interop testing of EXTERNAL.
* Same with general use of TLS, even with self signed certs.
* Security issues would be about the same as with SSH.
* I suppose it would help about as much with MITM as dialback does with
DNS spoofing?

Thougts?

-- 
Kim Alvefur <zash at zash.se>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://mail.jabber.org/pipermail/security/attachments/20101118/18f40628/attachment.pgp>


More information about the Security mailing list