[Standards-JIG] Start TLS + Dialback + SASL External
jajcus at jajcus.net
Sat Aug 20 09:33:45 UTC 2005
On Sat, Aug 20, 2005 at 11:10:32AM +0530, Vinod Panicker wrote:
> On 8/19/05, JD Conley <jd.conley at coversant.net> wrote:
> > I was reminded of dialback + STARTTLS recently with a thread over on
> > JDEV on TLS + SASL.
> > I think we should be performing STARTTLS, then dialback, and then
> > authenticating with SASL EXTERNAL after negotiation, as with TLS auth.
> > :) Then we could have a fully compliant, and encrypted, XMPP S2S stream
> > with the ease of use and reasonable level of authentication from the
> > dialback connection.
> Am I missing something? In my books TLS mutual is great enough
> without requiring Dialback.
TLS mutual is as good as the certificates used. I guess some people will
trust DNS more than some unknown CA and DNS should always be trusted
more than self-signed certificate. If we want TLS for encryption but
also to keep the server authentication at the same level we have it with
dialback, then using TLS with dialback makes sense.
More information about the Standards