[Standards] XEP-0178: Clarify SASL-EXTERNAL specification when s2s auth fails

Dave Cridland dave at cridland.net
Wed Jul 1 09:43:06 UTC 2020


On Wed, 1 Jul 2020 at 10:41, Dave Cridland <dave at cridland.net> wrote:

>
>
> On Tue, 30 Jun 2020 at 19:46, Kim Alvefur <zash at zash.se> wrote:
>
>> This does result in a number of different possible configurations. Not
>> great for something security related. Personally I hope we might be able
>> to phase out Dialback in the future. Today, largely thanks to Let's
>> Encrypt, more and more servers have valid certificates. So, the Dialback
>> code paths are more and more disused.
>>
>> My own server requires valid certificates and this is mosly an issue
>> with certain XSF members (you know who you are). As a bonus, many
>> unmaintained certificates with expired certificates that I am unable to
>> establish s2s with appear to be sources of spam, which I am spared from.
>
>
> Getting rid of the dialback syntax entirely depends on whether we want to
> get rid of S2S multiplexing ("Piggybacking") or not. Also XEP-0288 depends
> on the dialback syntax.
>
>
Ooops - no, it doesn't. XEP-0288 is independent, so it's just multiplexing.


> FWIW, there are deployments around which - for sensible reasons - do not
> use TLS at all, and having dialback is a useful way of
> providing authentication without TLS, though it's not clear to me they need
> even the security of the actual dialback token verification.
>
> Dave.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200701/dbcb4b33/attachment.html>


More information about the Standards mailing list