[Summit] TLS s2s interconect hackfest
stpeter at stpeter.im
Wed Jan 27 08:50:38 CST 2010
On 1/27/10 7:46 AM, Dave Cridland wrote:
> On Wed Jan 27 14:23:33 2010, Peter Saint-Andre wrote:
>> On 1/27/10 6:25 AM, Dave Cridland wrote:
>> > (My favourite remains the case where you decide that the peer
>> > you're connecting to doesn't have a valid certificate, and therefore
>> > instead of using the EXTERNAL you're offered, you insist on doing
>> > dialback to authenticate yourself.)
>> That is rather strange from the PKI perspective, but it's always seemed
>> like a good fallback from the XMPP perspective. Or is it? :)
> It isn't sane at all.
> The initiator ends up trusting the receiver without any authentication
> outside of a trust in DNS, which it had anyway - it's refusing to use
> the credentials that the receiver is happy to trust, however, for no
> apparent reason.
> Falling back to dialback when your X.509 credentials aren't accepted is
> of course a sane fallback for XMPP. Falling back when they *are*
> accepted is weird.
Oh, sorry, I misunderstood your original description. Yes, that is
bizarre. This perhaps speaks to the need for better documentation of
TLS+dialback (when to use it, when not, etc.).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
More information about the Summit