[Standards] XEP-0220: handling of invalid dialback key

Peter Saint-Andre stpeter at stpeter.im
Thu Apr 14 20:30:37 UTC 2011


On 4/14/11 2:22 PM, Philipp Hancke wrote:

<snip/>

> Actually, I mostly disagree with the "removed requirement for the
> Receiving Server to close the stream if the dialback key is invalid"
> stuff. From the security POV, why should the receiving server not
> terminate the stream?

Because, from the performance point of view, it doesn't want to discard
the 10,000 valid domains it already supports on that stream. That's a
huge cost to impose on the server just because the 10,001st domain has a
DNSSEC problem. For traditional dialback the force-close requirement is
fine. For dialback as used for domain name assertions with DNSSEC it
seems too strong to me.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20110414/69fb4fba/attachment.bin>


More information about the Standards mailing list