[Standards] XEP-0178: Clarify SASL-EXTERNAL specification when s2s auth fails

Dave Cridland dave at cridland.net
Wed Jul 1 09:41:38 UTC 2020


On Tue, 30 Jun 2020 at 19:46, Kim Alvefur <zash at zash.se> wrote:

> This does result in a number of different possible configurations. Not
> great for something security related. Personally I hope we might be able
> to phase out Dialback in the future. Today, largely thanks to Let's
> Encrypt, more and more servers have valid certificates. So, the Dialback
> code paths are more and more disused.
>
> My own server requires valid certificates and this is mosly an issue
> with certain XSF members (you know who you are). As a bonus, many
> unmaintained certificates with expired certificates that I am unable to
> establish s2s with appear to be sources of spam, which I am spared from.


Getting rid of the dialback syntax entirely depends on whether we want to
get rid of S2S multiplexing ("Piggybacking") or not. Also XEP-0288 depends
on the dialback syntax.

FWIW, there are deployments around which - for sensible reasons - do not
use TLS at all, and having dialback is a useful way of
providing authentication without TLS, though it's not clear to me they need
even the security of the actual dialback token verification.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200701/88d9689b/attachment.html>


More information about the Standards mailing list