[Jabber-IETF] SASL issues
rob at cataclysm.cx
Thu Oct 10 18:46:58 CDT 2002
> > 1a. does the sasl stuff in the xmpp spec actually work? [correctness]
> I think it does. If the server does not have a certificate whose issuer
> is trusted by the client, there is a risk of man-in-the-middle attacks.
> I don't know whether that is a major concern to most people here. I
> wrote an RFC for the TLS working group, so of course I'm pedantic about
> security. :-)
I have an implementation, if thats any help.
> > 1b. does the sasl stuff in the xmpp spec provide the security we want?
> > [completeness]
> You require TLS as well, of course, to achieve confidentiality. I was
> just wondering if anyone is interested in doing XMPP with Kerberos...
> If so, the easiest thing is perhaps to use Kerberos with TLS as
> specified in RFC 2712, then use SASL EXTERNAL to import the Kerberos
> credential into XMPP. If there is interest in Kerberos and people feel
> this is the best way to achieve it, it should probably be documented in
> the spec.
I wrote a STARTTLS extension some time ago, see
http://www.jabber.org/jeps/jep-0035.html. It's in the same vein as the
first round of SASL stuff I did, but it should be straightforward to
bring into line with what we're doing here.
> > 1c. does the sasl stuff in the xmpp spec downgrade gracefully when
> > talking with jabber? (i.e., if one side doesn't support sasl,
> > then the connection stays up and the peers have a consistent
> > view of the state of the connection.) [backwards-compatibility]
> I think this is okay. If we go with the version="1.0" idea, it is
> theoretically possible that old software could break. However, I can't
> see a better option.
I'd prefer the version='1.0' method. It doesn't break the two servers
with the largest installed base (JOSS and JCP), so thats enough for me.
Robert Norris GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://jabber.org/pipermail/xmppwg/attachments/20021011/b4bac618/attachment.pgp
More information about the xmppwg