[Security] S2S Leap of faith w/ SASL EXTERNAL
David Banes
david at banes.org
Thu Nov 18 17:27:04 CST 2010
On 19/11/2010, at 10:22 AM, Matthew Wild wrote:
> On 18 November 2010 23:07, David Banes <david at banes.org> wrote:
>> Cisco should sponsor/host it...
>>
>
> A lonely picture of Dave hanging on some wall in the Cisco offices? I
> can see it now...
>
> Aaaaanyway...
>
> The problem I see with this is - when the admin changes the certs
> (e.g. they expire) - what next? We just blindly trust the new certs
> after dialback? Isn't there a risk that the MITM comes along, offers a
> new cert, and intercept the dialback verifications and acks it
> successfully?
If the cert changes I think you have to start from scratch.
>
> In SSH at least you get notified (quite loudly) that the server
> fingerprint has changed.
Send an IM / email alert to the domain admin, drop a flag in the error/security log.
>
> Matthew
--------------------------------------------------------------------------------------------------------
Email Filtering by Cleartext a Carbon Minimised company - www.cleartext.com
--------------------------------------------------------------------------------------------------------
More information about the Security
mailing list