[Standards] Fwd: [Uta] STARTTLS vulnerabilities

Philipp Hancke fippo at goodadvice.pages.de
Thu Aug 12 05:15:56 UTC 2021


Am 11.08.21 um 23:49 schrieb Peter Saint-Andre:
> On 8/11/21 3:35 PM, Kim Alvefur wrote:
>> On Wed, Aug 11, 2021 at 02:25:56PM -0600, Peter Saint-Andre wrote:
>>> Too bad we didn't stick to our guns in 2003 and insist on two ports
>>> instead of one, but STARTTLS was the recommended approach back then...
>>
>> We were always at war with STARTTLS?
> 
> We would have preferred to keep using port 5223 for TLS-only, but at
> that time (2003/2004) IETF/IESG policy was "don't use so many ports,
> STARTTLS makes it so that you only need one".

ah, one port is enough. But I do wonder if the old technique from 
https://github.com/mawis/jabberd/blob/8c99ba9d56574044770c7513acd11c9072488203/jadc2s/clients.cc#L1289-L1301
(18 years...) is documented in some IETF document.
There is
   https://datatracker.ietf.org/doc/html/rfc5764#section-5.1.2
but it only applies to DTLS.


More information about the Standards mailing list