[Standards-JIG] JEP-0170: dialback + TLS + SASL

JD Conley jd.conley at coversant.net
Tue Jan 17 21:28:31 UTC 2006


> JEP-0170 is, so far, silent on the order of TLS, SASL, and dialback
for
> server-to-server communications. RFC 3920 basically says "dialback is
a
> legacy protocol, use TLS then SASL" but I wonder if the following
order
> makes sense:
> 
> 1. Dialback
> 2. TLS
> 3. SASL

I see advantages in doing TLS before Dialback. First off, you get added
security during the exchange of Dialback keys if it's wrapped in TLS
encryption, whether certs are authenticated or not. Second, it becomes
perceived as a "fallback" rather than a "pre screening" mechanism.

Workflow:
The receiving entity requests mutual authentication during StartTLS if
it supports SASL. The originating entity then provides a cert, or not.
If cert authentication fails or no originating cert is presented
Dialback is then used. If mutual cert authentication succeeds, the SASL
EXTERNAL stream feature is presented and no Dialback is required.

Both entities have the option to disable Dialback fallback and thus
failure of TLS mutual authentication and SASL EXTERNAL would be fatal to
the S2S connection in the extra secure situations.

If Dialback fallback is permitted, the channel is already encrypted with
TLS.

-JD Conley



More information about the Standards mailing list