[Jabber-IETF] SASL issues

Pete Chown 1 at 234.cx
Thu Oct 10 15:27:01 CDT 2002


Marshall Rose wrote:

> 1. sasl in general
> 
> it seems to me that there are three questions:
> 
>     1a. does the sasl stuff in the xmpp spec actually work? [correctness]

I think it does.  If the server does not have a certificate whose issuer 
is trusted by the client, there is a risk of man-in-the-middle attacks. 
  I don't know whether that is a major concern to most people here.  I 
wrote an RFC for the TLS working group, so of course I'm pedantic about 
security. :-)

>     1b. does the sasl stuff in the xmpp spec provide the security we want?
>         [completeness]

You require TLS as well, of course, to achieve confidentiality.  I was 
just wondering if anyone is interested in doing XMPP with Kerberos... 
If so, the easiest thing is perhaps to use Kerberos with TLS as 
specified in RFC 2712, then use SASL EXTERNAL to import the Kerberos 
credential into XMPP.  If there is interest in Kerberos and people feel 
this is the best way to achieve it, it should probably be documented in 
the spec.

>     1c. does the sasl stuff in the xmpp spec downgrade gracefully when
>         talking with jabber? (i.e., if one side doesn't support sasl,
> 	then the connection stays up and the peers have a consistent
> 	view of the state of the connection.) [backwards-compatibility]

I think this is okay.  If we go with the version="1.0" idea, it is 
theoretically possible that old software could break.  However, I can't 
see a better option.

-- 
Pete




More information about the xmppwg mailing list