[Standards] XEP-0178: Clarify SASL-EXTERNAL specification when s2s auth fails
Ruslan N. Marchenko
me at ruff.mobi
Tue Jun 30 16:58:49 UTC 2020
Am Dienstag, den 30.06.2020, 17:59 +0200 schrieb Jonas Schäfer:
> Hi list,
> (Editor hat on)
> On behalf of the Council, I’d like to bring this pull request to the
> of the community:
> Input from server operators specifically would be welcomed to see if
> change is in fact desirable or if you can see any issues with that.
> At least
> one member of the community has already expressed  that they think
> this may
> lead to downgrade attacks.
Let me rephrase/expand a bit my statement.
The SASL EXTERNAL mandates use of TLS and certificate validation (XEP-
0220 does not). In theory you can achieve exactly the same level of
security with Dialback as with EXTERNAL - eg. both sides still auth
each others' certificates during dialback, and similarly one can put
additional measures such as DANE + DNSEC.
Now if EXTERNAL fails - that means there's something wrong with the
certificates. And proposal to fail back to dialback means we want to
tolerate certificate validation errors. Which is a downgrade.
Now, if we want to loosen the failure scenario, we need to explicitly
call out that this is only acceptable without loss of security controls
(validation) - eg just a misconfiguration.
Now again EXTERNAL misconfiguration is kind of obvious - connection is
lost if integrity/confidentiality is not achievable. Dialback does not
put anything like that in place to ensure that.
More information about the Standards