[jdev] S2S questions - from attribute and version support
Vinod Panicker
vinod.p at gmail.com
Sat Dec 31 02:42:08 CST 2005
On 12/31/05, Philipp Hancke <fippo at goodadvice.pages.de> wrote:
> Justin Karneges wrote:
> > For now, servers implementors seem to be taking matters
> > into their own hands, and so not only do we have 1.0
> > without SASL, but we have TLS+dialback.
> What if SASL is implemented but there are no usable methods?
>
> Let us assume we have successfully used starttls.
> The server will only offer SASL PLAIN or DIGEST-MD5 for s2s
> authentication if there is a shared secret between the two parties.
>
> The server will only offer SASL EXTERNAL if the certificate presented
> by the client (server) meets certain criteria (see
> https://www.jabber.org/jdev/2005-November/022309.html).
>
> What if both mechanisms are not usable (and therefore not offered)?
>
> This is why tls+dialback is currently necessary.
The RFC states that SASL must be done after TLS. Though its not
expressly forbidden, I doubt that TLS+dialback was ever intended in
the first place, since Dialback was written much before there was the
question of TLS.
Regarding the issue of SASL EXTERNAL and support for subjectAltNames,
I dont think it is currently possible to have a valid certificate with
subjectAltName extensions since none of the CA's are supporting it.
I think there should be something done for enabling federation between
servers using DIGEST-MD5 or even PLAIN. Otherwise, this looks like a
no-go. Servers will keep relying on dialback.
Regards,
Vinod.
More information about the JDev
mailing list