[jdev] Hosting issues

[Justin Karneges]

On Wednesday 14 September 2005 11:02 pm, Steven Peterson wrote:
> Server dialback will work for my service, but the XMPP spec says that
> dialback is documented for backward-compatiblity only. Is dialback
> disappearing, or is it still in active use? I know the open source
> servers support dialback.

Dialback is NOT going away.

I believe it is given less credit in the RFC mainly because the IETF doesn't 
want to promote another insecure authentication protocol.  However, what they 
don't realize (or more likely: don't admit! :) ) is that most of us could 
care less about cryptographic authentication between domains.  Dialback is 
effective against spammers, and that's all we expect from it.

> The XMPP specification says that the name in the cert should match
> domain part of the user's id. This is a problem because I will not
> have the cert for my users' domains as mentioned above.
>
> Most client applications allow the user to specify the server
> separately from their user id. The ideal thing for my service is for
> client applications to verify the cert using the server name instead
> of the domain part of the user's id. That way, I only need my own cert
> and private key.

Unfortunately this simply breaks a lot of rules.  The forced host name is not 
relevant to TLS, just like the IP address that it resolves to.  All that 
matters is the desired Jabber domain.  Users have a bad enough time trying to 
determine whether or not something is secure, and adding further 
rules/exceptions would only make it worse.

The best answer I can give you is that hopefully someday you'll be able to use 
a separate Jabber server cert, indicated using the XMPP OtherName extension 
attribute to store the domain name (and the CommonName could instead be a 
freeform string).  I don't think any clients support this extension yet, 
though.  Anyway, such a cert would not be usable for HTTP, so your users 
wouldn't have to worry about you hijacking their webservers.

-Justin