[Jabber-IETF] SASL issues

Robert Norris rob at cataclysm.cx
Thu Oct 10 18:46:58 CDT 2002


> >    1a. does the sasl stuff in the xmpp spec actually work? [correctness]
> 
> I think it does.  If the server does not have a certificate whose issuer 
> is trusted by the client, there is a risk of man-in-the-middle attacks. 
>  I don't know whether that is a major concern to most people here.  I 
> wrote an RFC for the TLS working group, so of course I'm pedantic about 
> security. :-)

I have an implementation, if thats any help.

> >    1b. does the sasl stuff in the xmpp spec provide the security we want?
> >        [completeness]
> 
> You require TLS as well, of course, to achieve confidentiality.  I was 
> just wondering if anyone is interested in doing XMPP with Kerberos... 
> If so, the easiest thing is perhaps to use Kerberos with TLS as 
> specified in RFC 2712, then use SASL EXTERNAL to import the Kerberos 
> credential into XMPP.  If there is interest in Kerberos and people feel 
> this is the best way to achieve it, it should probably be documented in 
> the spec.

I wrote a STARTTLS extension some time ago, see
http://www.jabber.org/jeps/jep-0035.html. It's in the same vein as the
first round of SASL stuff I did, but it should be straightforward to
bring into line with what we're doing here.

> >    1c. does the sasl stuff in the xmpp spec downgrade gracefully when
> >        talking with jabber? (i.e., if one side doesn't support sasl,
> >	then the connection stays up and the peers have a consistent
> >	view of the state of the connection.) [backwards-compatibility]
> 
> I think this is okay.  If we go with the version="1.0" idea, it is 
> theoretically possible that old software could break.  However, I can't 
> see a better option.

I'd prefer the version='1.0' method. It doesn't break the two servers
with the largest installed base (JOSS and JCP), so thats enough for me.

-- 
Robert Norris                                       GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx                Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://jabber.org/pipermail/xmppwg/attachments/20021011/b4bac618/attachment.pgp


More information about the xmppwg mailing list