[Standards-JIG] JEP-0170: dialback + TLS + SASL
jajcus at jajcus.net
Wed Jan 18 19:16:14 UTC 2006
On Wed, Jan 18, 2006 at 10:35:57AM -0700, Peter Saint-Andre wrote:
> > > For now I'm speaking practically -- I'm not talking about what will be
> > > acceptable in rfc3920bis, just what works on the network. We'll deal
> > > with the IETF implications later. :-)
> >starttls+dialback is widely on the network for months now...
> >You're probably to late to stop the juggernaut :-)
> Are people using self-signed certs for this? If so, how hard is it to
> just do TLS + SASL EXTERNAL and be done with it? I see no reason for
> dialback if you've already done TLS, but maybe I'm missing something.
If the certs are self-signed and not known to the other party, then
dialback is much better then SASL EXTERNAL (which doesn't provide any
authentication then). It could be also used to provisionally verify
the self signed certificate and cache it for further use (but then
dialback should never be used to override already cached certificate).
More information about the Standards