[Standards] various rfc3920bis feedback

Pavel Simerda pavlix at pavlix.net
Tue Feb 24 18:24:28 UTC 2009


On Tue, 24 Feb 2009 13:07:16 +0100
Philipp Hancke <fippo at goodadvice.pages.de> wrote:

> Dave Cridland wrote:
> [snip]
> >>
> >> *nod*
> >> Might be a problem if a server requires EXTERNAL, but this is rare
> >> in uncontrolled environments anyway.
> >>
> >> That would make 0178 c2s-only and it could be merged with 0257
> >> somehow.
> >>
> >>
> > That's possible. But then, 0178 should get merged with rfc3920bis.
> 
> That might be true for 0220 as well. Especially if we go for (3).
> 
> [snip]
> >> "You're telling me the key is valid without checking it? Then you
> >> must be lying."
> > 
> > But it makes no sense. If the remote end doesn't validate the key,
> > but authorizes you anyway, then you're authorized, and it doesn't
> > matter whether or not you think they did it right.
> 
> *nod*
> No assumptions about how (and if) the receiving server asserts my
> identity.
> 
> >> I think dialback was not designed to protect from that anyway.
> >>
> >>
> > Protect from what?
> 
> A receiving server who is not who he claims to be.

I believe it's the main point in using dialback. Client-to-server
connections 

> [snip]
> >> There are two problems with that approach:
> >> 1) you do not know if the remote server is up and listening for
> >>    connections. See above.
> >> 2) an evil user on the remote system (other than the user who is
> >>    running the jabber server) who is able to open connection to
> >>    remote servers.
> >>
> >> I do not think (2) is a real problem, especially not when
> >> certificates are used.
> > 
> > If a trustworthy certificate is used, then we don't need to
> > dialback, certainly. (And trustworthy can mean "we've dialled back
> > before and we know this one"). Without that, then scenario (2) is
> > possible.
> > 
> > So it's not really worth persuing that one.
> 
> Solving host security is not a XMPP problem, yes.

XMPP's problem is to allow for solutions, though, and even to promote
security awareness.

> I am not sure if the
> slight protection that dialback offers against (2) is intentionally.
> (1) is a problem anyway, so I think the answer to your question
> "yes, but is tls really required?".

This is a question you can answer yourself.

> 
> Philipp


-- 

Freelance consultant and trainer
in networking, communications and security.

Web: http://www.pavlix.net/
Jabber, Mail: pavlix(at)pavlix.net
OpenID: pavlix.net



More information about the Standards mailing list