[Standards-JIG] Start TLS + Dialback + SASL External
vinod.p at gmail.com
Sat Aug 20 05:40:32 UTC 2005
On 8/19/05, JD Conley <jd.conley at coversant.net> wrote:
> I was reminded of dialback + STARTTLS recently with a thread over on
> JDEV on TLS + SASL.
> I think we should be performing STARTTLS, then dialback, and then
> authenticating with SASL EXTERNAL after negotiation, as with TLS auth.
> :) Then we could have a fully compliant, and encrypted, XMPP S2S stream
> with the ease of use and reasonable level of authentication from the
> dialback connection.
Am I missing something? In my books TLS mutual is great enough
without requiring Dialback.
> In this mystical world of mine, dialback with TLS and SASL EXTERNAL
> would be taken under the wing of XMPP rather than being the red-headed
> step child of S2S. RFC3920 currently reads: "Documentation of dialback
> is included mainly for the sake of backward-compatibility with existing
> implementations and deployments." However, dialback is the only widely
> accepted means for XMPP servers to communicate with other, previously
> unknown domains, over the open internet.
> We have implemented S2S + SASL + STARTTLS mutual auth and people only
> use that in tight rings of trust (where they don't have general internet
> S2S enabled). This is good, but definitely not do-able on a global
> scale, as we've all talked about before. The recent dialback + TLS
> effort is a great step forward. I'm of the opinion it should go
> further. :)
Just out of curiosity, how did you test the compliance on this? I'm
facing a compliance testing issue after implementing S2S + TLS + SASL
> Any takers? I can move over to xmppwg, but it's been so dead
> recently... :)
I agree on the "dead" part.
More information about the Standards