[Standards-JIG] Start TLS + Dialback + SASL External

JD Conley jd.conley at coversant.net
Fri Aug 19 17:30:18 UTC 2005


I was reminded of dialback + STARTTLS recently with a thread over on
JDEV on TLS + SASL.

I think we should be performing STARTTLS, then dialback, and then
authenticating with SASL EXTERNAL after negotiation, as with TLS auth.
:)  Then we could have a fully compliant, and encrypted, XMPP S2S stream
with the ease of use and reasonable level of authentication from the
dialback connection.

In this mystical world of mine, dialback with TLS and SASL EXTERNAL
would be taken under the wing of XMPP rather than being the red-headed
step child of S2S. RFC3920 currently reads: "Documentation of dialback
is included mainly for the sake of backward-compatibility with existing
implementations and deployments."  However, dialback is the only widely
accepted means for XMPP servers to communicate with other, previously
unknown domains, over the open internet.

We have implemented S2S + SASL + STARTTLS mutual auth and people only
use that in tight rings of trust (where they don't have general internet
S2S enabled).  This is good, but definitely not do-able on a global
scale, as we've all talked about before.  The recent dialback + TLS
effort is a great step forward.  I'm of the opinion it should go
further. :)

Any takers?  I can move over to xmppwg, but it's been so dead
recently... :)

-JD Conley



More information about the Standards mailing list