[jdev] S2S questions - from attribute and version support
Matthias Wimmer
m at tthias.net
Sat Dec 31 03:59:48 CST 2005
HI Vinod!
Vinod Panicker schrieb:
>The RFC states that SASL must be done after TLS. Though its not
>expressly forbidden, I doubt that TLS+dialback was ever intended in
>the first place, since Dialback was written much before there was the
>question of TLS.
>
>
... but you cannot tell me that TLS+dialback is worse than just
unencrypted dialback. Therefore I think it has been a good idea to use
the starttls extension on dialback as well.
>Regarding the issue of SASL EXTERNAL and support for subjectAltNames,
>I dont think it is currently possible to have a valid certificate with
>subjectAltName extensions since none of the CA's are supporting it.
>
>
Right. That's why as a fallback all server implementations I know check
the CN if there is no subjectAltName extension.
>I think there should be something done for enabling federation between
>servers using DIGEST-MD5 or even PLAIN. Otherwise, this looks like a
>no-go. Servers will keep relying on dialback.
>
>
Using DIGEST-MD5 or PLAIN for interconnection between servers would mean
that EVERY PAIR of jabber servers would have to agree on a shared
secret. That's very much impractical.
Tot kijk
Matthias
More information about the JDev
mailing list