[Summit] TLS s2s interconect hackfest

Peter Saint-Andre stpeter at stpeter.im
Wed Jan 27 08:50:38 CST 2010


On 1/27/10 7:46 AM, Dave Cridland wrote:
> On Wed Jan 27 14:23:33 2010, Peter Saint-Andre wrote:
>> On 1/27/10 6:25 AM, Dave Cridland wrote:
>
>> > (My favourite remains the case where you decide that the peer
>> > you're connecting to doesn't have a valid certificate, and therefore
>> > instead of using the EXTERNAL you're offered, you insist on doing
>> > dialback to authenticate yourself.)
>>
>> That is rather strange from the PKI perspective, but it's always seemed
>> like a good fallback from the XMPP perspective. Or is it? :)
> 
> It isn't sane at all.
> 
> The initiator ends up trusting the receiver without any authentication
> outside of a trust in DNS, which it had anyway - it's refusing to use
> the credentials that the receiver is happy to trust, however, for no
> apparent reason.
> 
> Falling back to dialback when your X.509 credentials aren't accepted is
> of course a sane fallback for XMPP. Falling back when they *are*
> accepted is weird.

Oh, sorry, I misunderstood your original description. Yes, that is
bizarre. This perhaps speaks to the need for better documentation of
TLS+dialback (when to use it, when not, etc.).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/summit/attachments/20100127/72c75e6d/attachment.bin>


More information about the Summit mailing list