[Security] S2S Leap of faith w/ SASL EXTERNAL

Kim Alvefur zash at zash.se
Wed Nov 17 19:52:38 CST 2010

On Thu, 2010-11-18 at 02:01 +0100, Jesus Cea wrote:
> The connection direction is reversed.

Did I get that mixed up? But would that matter when s2s is done over two
TCP connections?

> One time could be enough.

Yes, one time seems to work quite well for SSH.

> But this could be done outside the server.

Another, less automagic approach, could be to just place fingerprints in
some queue and allow a administrator to manually pin them.

> Imagine a xmpp.org sponsored service that sign certificates with the
> only requirement of fullfiling the dialback procedure. We could use
> regular X.509. You would need to trust xmpp.org, just like now you
> must trust any other CA.

That would be similar to like how some CA's who give out free certs with
the only requirement that you control the MX record of the domain.

And the XSF did have an intermediate CA a while back, but doesn't for
some reason that I don't remember now.

The thing I wanted to get at was to make it simpler for smaller
deployments, like some friends personal servers, to establish some
measurement of trust between themselves, without all the bureaucracy
that CA's brings.

Kim Alvefur <zash at zash.se>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://mail.jabber.org/pipermail/security/attachments/20101118/1681b170/attachment.pgp>

More information about the Security mailing list