[Standards] Deprecating Dialback

Sam Whited sam at samwhited.com
Wed Dec 2 14:08:31 UTC 2020

Hi all,

I've been having a think about dialback recently and came to the
conclusion that it would be nice to begin discouraging its use on the
public network. This would raise the overall quality of authentication
on the network by beginning to phase out insecure DNS-based
authentication as well as simplify the implementation of certificate
based auth by allowing us to only rely on SASL EXTERNAL without having
to also implement "dialback without dialing back". Towards that end, I
would like to propose deprecating XEP-0220 and XEP-0185.

To decide whether this was a good idea or not, I tried to answer the
following questions (this was actually to decide if I wanted to
implement it or not, but I think they apply here too):

- How widespread is dialback use on the public Jabber network today?

- Are there any services that are considered "important" that only
  support dialback (and what do we mean by "important")?

To answer the first I asked in the chat for stats from large public
servers. The only respondent was Jabber.FR (thanks Link Mauve) where
only 4% of 2034 connections were using dialback. I would be curious if
this is representative of the broader network if any other medium-to-
large servers want to chime in.

For the second I did not end up coming up with a definition of
"important", but someone suggested that jabber.org might be considered
important and that they thought it had trouble with SASL EXTERNAL. I did
not verify this since I don't have a domain setup to do s2s properly
right now. If anyone can verify this (and if it's true can verify
whether it can be upgraded to support SASL EXTERNAL) please chime in.

Thanks for reading,

Sam Whited

More information about the Standards mailing list