[Security] S2S Leap of faith w/ SASL EXTERNAL

Jesus Cea jcea at jcea.es
Wed Nov 17 19:01:22 CST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/11/10 01:51, Kim Alvefur wrote:
> A thought:
> 
> Imagine a server with a self signed certificate. When your server
> connects to it, it of course would't trust the cert enough to do SASL
> EXTERNAL, so it falls back to dialback. If dialback is successfully done
> a few times, while the server presents the same cert, automatically pin
> it and allow SASL EXTERNAL the next time.

The connection direction is reversed.

I think it is a good idea. One time could be enough.

But this could be done outside the server. Imagine a xmpp.org sponsored
service that sign certificates with the only requirement of fullfiling
the dialback procedure. We could use regular X.509. You would need to
trust xmpp.org, just like now you must trust any other CA.

- -- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
.                              _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQCVAwUBTOR64plgi5GaxT1NAQIsuwP/cXXwCnr3BdhyPewLlPGMHOn+Rj8A4diS
gsXiMQraiiB3B8LNikbiOQ3G9K/9HiMSmPYV419IvNpGxfsxc58TuObCtkT5T9zx
t+i6gS1o3cPlFfUQWDe3x31qH79Kjtz+SM8mVPR6f6OacxIS/oNHaIcmY2KG6t8x
oQPbG4lAiN0=
=BD7m
-----END PGP SIGNATURE-----


More information about the Security mailing list