[Security] S2S Leap of faith w/ SASL EXTERNAL

Matthew Wild mwild1 at gmail.com
Thu Nov 18 17:22:54 CST 2010


On 18 November 2010 23:07, David Banes <david at banes.org> wrote:
> Cisco should sponsor/host it...
>

A lonely picture of Dave hanging on some wall in the Cisco offices? I
can see it now...

Aaaaanyway...

The problem I see with this is - when the admin changes the certs
(e.g. they expire) - what next? We just blindly trust the new certs
after dialback? Isn't there a risk that the MITM comes along, offers a
new cert, and intercept the dialback verifications and acks it
successfully?

In SSH at least you get notified (quite loudly) that the server
fingerprint has changed.

Matthew


More information about the Security mailing list