[Standards] RFC 3920, 10.2/10.3: subdomain routing rules

Peter Saint-Andre stpeter at jabber.org
Thu Mar 29 20:34:47 UTC 2007


Dave Cridland wrote:
> On Thu Mar 29 14:13:15 2007, Matthias Wimmer wrote:
>>  To enforce authentication of the receiving server we would have to 
>> disable dialback and require trusted certificates.
> 
> The problem is you have to essentially mandate a list of CAs, as I 
> understand things. 

Well, we do have a CA: https://www.xmpp.net/ :)

> Or, you can use leap-of-faith TLS in combination with 
> dialback, and at the least heavily reduce the attack's practical benefit.
> 
> Leap-of-faith TLS is basically where you assume that the certificate is 
> correct the first time, and you assume that a change - if the new 
> certificate is still not verifiable - is a spoof. It's not perfect, but 
> since people rarely want to intercept data from servers which have never 
> been used before, it's quite practical.

I agree with Matthias that leap-of-faith may not be practical for 
machine-to-machine communications.

Peter

-- 
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070329/14b8ea53/attachment.bin>


More information about the Standards mailing list