[Standards-JIG] JEP-0170: dialback + TLS + SASL

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Wed Jan 18 19:23:18 UTC 2006


On Wednesday 18 January 2006 09:35, Peter Saint-Andre wrote:
> > starttls+dialback is widely on the network for months now...
> > You're probably to late to stop the juggernaut :-)
>
> Are people using self-signed certs for this? If so, how hard is it to
> just do TLS + SASL EXTERNAL and be done with it? I see no reason for
> dialback if you've already done TLS, but maybe I'm missing something.

In terms of authentication, a self-signed cert is worse than dialback.

Given that we already have TLS + iq:auth in the wild (e.g. jabber.org, 
although this also goes against the RFC), I don't see a reason why we can't 
skip SASL in s2s as well and simply have TLS + dialback.  And, as JD noted, 
doing TLS before dialback makes it possible to use dialback as a fallback 
without doing both SASL and dialback in the same negotiation (similar to c2s 
where you don't do both SASL and iq:auth).

My question still stands: how does this starttls+dialback that is "widely on 
the network for months" work?  Is it written "starttls+dialback" because the 
operations literally occur in that sequence?  In that case, is it exactly 
what JD and I are proposing, or are there subtle differences?

Finally, I don't see a major harm in doing things correctly (whatever we 
decide that to be) in a future RFC, even if that means breaking any alternate 
mechanisms currently in the wild.  As long as the new protocol is made in 
such a way that it won't be ambiguous to a current one, it won't hurt 
interoperability, since all servers supporting starttls+dialback will also 
support plain dialback.

-Justin



More information about the Standards mailing list