[Standards] TLS certificate fun

Dave Cridland dave at cridland.net
Tue May 13 14:17:05 UTC 2008


On Tue May 13 13:50:14 2008, Dave Cridland wrote:
> However, the jabber.org server doesn't know if the connection it   
> opens to me has been authenticated as conference.jabber.org,   
> jabber.org, or both; unless it specifies one or the other in the  
> SASL  EXTERNAL negotiation. - which of course will only tell it if  
> I've  accepted that identity alone.
> 
> 
Further thought - if it sends dialback to me when I recognise and  
accept its certificate, I can reasonably choose to return acceptances  
of them without actually dialling back, trusting that given the TLS  
certificate, I can assume they work.

This means that the SASL EXTERNAL actually becomes optional, but it  
also means that at least TLS is no worse than dialback in terms of  
efficiency.


> Moreover, it has no way to communicate to me whether or not it   
> accepts my certificate - so I don't know if I've authenticated, and  
>  therefore I don't know if I can send anything.

I could, of course, send jabber.org dialback requests through the  
connection it's opened to me, given that I trust that it's  
jabber.org. However, sending dialback requests from the receiver to  
the originator is unusual - do people think it'd be safe to do this?

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list