[Standards-JIG] Start TLS + Dialback + SASL External

Vinod Panicker vinod.p at gmail.com
Sat Aug 20 05:40:32 UTC 2005


On 8/19/05, JD Conley <jd.conley at coversant.net> wrote:
> I was reminded of dialback + STARTTLS recently with a thread over on
> JDEV on TLS + SASL.
> 
> I think we should be performing STARTTLS, then dialback, and then
> authenticating with SASL EXTERNAL after negotiation, as with TLS auth.
> :)  Then we could have a fully compliant, and encrypted, XMPP S2S stream
> with the ease of use and reasonable level of authentication from the
> dialback connection.

Am I missing something?  In my books TLS mutual is great enough
without requiring Dialback.

> In this mystical world of mine, dialback with TLS and SASL EXTERNAL
> would be taken under the wing of XMPP rather than being the red-headed
> step child of S2S. RFC3920 currently reads: "Documentation of dialback
> is included mainly for the sake of backward-compatibility with existing
> implementations and deployments."  However, dialback is the only widely
> accepted means for XMPP servers to communicate with other, previously
> unknown domains, over the open internet.
> 
> We have implemented S2S + SASL + STARTTLS mutual auth and people only
> use that in tight rings of trust (where they don't have general internet
> S2S enabled).  This is good, but definitely not do-able on a global
> scale, as we've all talked about before.  The recent dialback + TLS
> effort is a great step forward.  I'm of the opinion it should go
> further. :)

Just out of curiosity, how did you test the compliance on this?  I'm
facing a compliance testing issue after implementing S2S + TLS + SASL

> Any takers?  I can move over to xmppwg, but it's been so dead
> recently... :)

I agree on the "dead" part.

Regards,
Vinod.



More information about the Standards mailing list