[Standards-JIG] stream:error for dialback with no SASL support

JD Conley jconley at winfessor.com
Mon Jul 26 19:54:53 UTC 2004


> -----Original Message-----
> From: Matthias Wimmer [mailto:m at tthias.net]
> Sent: Monday, July 26, 2004 12:19 PM


> JD Conley schrieb am 2004-07-26 11:43:44:
> > We rely on the fact that the X.509 certificates are trusted.
> [...]
> 
> I have to agree ... EXTERNAL using certificates can work on a public
> network very well - only problem for wide-spread usage would be that
> most servers are run by individuals which I guess won't buy "official"
> certificates. I guess I have to adjust my thinkings about this a bit.

Yeah.  This brings us back to the JSF ran CA, or at least recommending a
free CA that individuals can use and can be reasonably trusted.
Corporations may not trust the CA, but at least those on the greater
community network would.  Many corporations turn off S2S all together or
setup a zebra list of domains that can be contacted based on certificate
trust chains or other server configuration.

> > So you may never receive an xmlns:db on the incoming stream.  And,
> > technically, a SASL S2S connection can be mutually authenticated
through
> > TLS and SASL EXTERNAL so the incoming and outgoing stream can be on
the
> > same socket.
> 
> I may be wrong, but it has been discussed (on the xmppwg list I think)
> if SASL streams can be bidirectional, and I thought the result was
that
> they are unidirectional as well. I'll have to check XMPP core again
for
> this.

Yeah, it was discussed a few times.  I don't remember where it ended up.
But in any case no Dialback would occur with SASL.  You would have
either one or two socket connections with a single stream in each
direction.  I just looked at the code and right now SoapBox does it with
two connections as you have mentioned.  It also mutually authenticates
on both the incoming and outgoing connections to ensure the maximum
level of trust.


JD




More information about the Standards mailing list