[Security] S2S Leap of faith w/ SASL EXTERNAL

David Banes david at banes.org
Wed Nov 17 18:54:41 CST 2010


Good idea.

On 18/11/2010, at 11:51 AM, Kim Alvefur wrote:

> A thought:
> 
> Imagine a server with a self signed certificate. When your server
> connects to it, it of course would't trust the cert enough to do SASL
> EXTERNAL, so it falls back to dialback. If dialback is successfully done
> a few times, while the server presents the same cert, automatically pin
> it and allow SASL EXTERNAL the next time. 
> 
> Why:
> 
> * Encourage more widespread deployment, interop testing of EXTERNAL.
> * Same with general use of TLS, even with self signed certs.
> * Security issues would be about the same as with SSH.
> * I suppose it would help about as much with MITM as dialback does with
> DNS spoofing?
> 
> Thougts?
> 
> -- 
> Kim Alvefur <zash at zash.se>


--------------------------------------------------------------------------------------------------------
Email Filtering by Cleartext a Carbon Minimised company - www.cleartext.com
--------------------------------------------------------------------------------------------------------


More information about the Security mailing list