[Jabber-IETF] SASL issues
1 at 234.cx
Thu Oct 10 15:27:01 CDT 2002
Marshall Rose wrote:
> 1. sasl in general
> it seems to me that there are three questions:
> 1a. does the sasl stuff in the xmpp spec actually work? [correctness]
I think it does. If the server does not have a certificate whose issuer
is trusted by the client, there is a risk of man-in-the-middle attacks.
I don't know whether that is a major concern to most people here. I
wrote an RFC for the TLS working group, so of course I'm pedantic about
> 1b. does the sasl stuff in the xmpp spec provide the security we want?
You require TLS as well, of course, to achieve confidentiality. I was
just wondering if anyone is interested in doing XMPP with Kerberos...
If so, the easiest thing is perhaps to use Kerberos with TLS as
specified in RFC 2712, then use SASL EXTERNAL to import the Kerberos
credential into XMPP. If there is interest in Kerberos and people feel
this is the best way to achieve it, it should probably be documented in
> 1c. does the sasl stuff in the xmpp spec downgrade gracefully when
> talking with jabber? (i.e., if one side doesn't support sasl,
> then the connection stays up and the peers have a consistent
> view of the state of the connection.) [backwards-compatibility]
I think this is okay. If we go with the version="1.0" idea, it is
theoretically possible that old software could break. However, I can't
see a better option.
More information about the xmppwg