[Security] S2S Leap of faith w/ SASL EXTERNAL

David Banes david at banes.org
Thu Nov 18 17:27:04 CST 2010


On 19/11/2010, at 10:22 AM, Matthew Wild wrote:

> On 18 November 2010 23:07, David Banes <david at banes.org> wrote:
>> Cisco should sponsor/host it...
>> 
> 
> A lonely picture of Dave hanging on some wall in the Cisco offices? I
> can see it now...
> 
> Aaaaanyway...
> 
> The problem I see with this is - when the admin changes the certs
> (e.g. they expire) - what next? We just blindly trust the new certs
> after dialback? Isn't there a risk that the MITM comes along, offers a
> new cert, and intercept the dialback verifications and acks it
> successfully?

If the cert changes I think you have to start from scratch.

> 
> In SSH at least you get notified (quite loudly) that the server
> fingerprint has changed.

Send an IM / email alert to the domain admin, drop a flag in the error/security log.

> 
> Matthew

--------------------------------------------------------------------------------------------------------
Email Filtering by Cleartext a Carbon Minimised company - www.cleartext.com
--------------------------------------------------------------------------------------------------------


More information about the Security mailing list