[Standards] TLS certificate fun
dave at cridland.net
Tue May 13 14:17:05 UTC 2008
On Tue May 13 13:50:14 2008, Dave Cridland wrote:
> However, the jabber.org server doesn't know if the connection it
> opens to me has been authenticated as conference.jabber.org,
> jabber.org, or both; unless it specifies one or the other in the
> SASL EXTERNAL negotiation. - which of course will only tell it if
> I've accepted that identity alone.
Further thought - if it sends dialback to me when I recognise and
accept its certificate, I can reasonably choose to return acceptances
of them without actually dialling back, trusting that given the TLS
certificate, I can assume they work.
This means that the SASL EXTERNAL actually becomes optional, but it
also means that at least TLS is no worse than dialback in terms of
> Moreover, it has no way to communicate to me whether or not it
> accepts my certificate - so I don't know if I've authenticated, and
> therefore I don't know if I can send anything.
I could, of course, send jabber.org dialback requests through the
connection it's opened to me, given that I trust that it's
jabber.org. However, sending dialback requests from the receiver to
the originator is unusual - do people think it'd be safe to do this?
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards