[Standards-JIG] JEP-0170: dialback + TLS + SASL
justin-keyword-jabber.093179 at affinix.com
Wed Jan 18 19:23:18 UTC 2006
On Wednesday 18 January 2006 09:35, Peter Saint-Andre wrote:
> > starttls+dialback is widely on the network for months now...
> > You're probably to late to stop the juggernaut :-)
> Are people using self-signed certs for this? If so, how hard is it to
> just do TLS + SASL EXTERNAL and be done with it? I see no reason for
> dialback if you've already done TLS, but maybe I'm missing something.
In terms of authentication, a self-signed cert is worse than dialback.
Given that we already have TLS + iq:auth in the wild (e.g. jabber.org,
although this also goes against the RFC), I don't see a reason why we can't
skip SASL in s2s as well and simply have TLS + dialback. And, as JD noted,
doing TLS before dialback makes it possible to use dialback as a fallback
without doing both SASL and dialback in the same negotiation (similar to c2s
where you don't do both SASL and iq:auth).
My question still stands: how does this starttls+dialback that is "widely on
the network for months" work? Is it written "starttls+dialback" because the
operations literally occur in that sequence? In that case, is it exactly
what JD and I are proposing, or are there subtle differences?
Finally, I don't see a major harm in doing things correctly (whatever we
decide that to be) in a future RFC, even if that means breaking any alternate
mechanisms currently in the wild. As long as the new protocol is made in
such a way that it won't be ambiguous to a current one, it won't hurt
interoperability, since all servers supporting starttls+dialback will also
support plain dialback.
More information about the Standards