> From: Matthias Wimmer [mailto:[EMAIL PROTECTED] > Sent: Friday, November 12, 2004 5:07 AM > > Hi Justin! > > Justin Karneges schrieb am 2004-11-11 22:07:54: > > And now that I think about it, the whole "use dialback for the first > > connection, SASL EXTERNAL for all after" concept would be a good way to > > optimize s2s. > > Not sure ... there are valid reasons to change your s2s certificate: > > - Key expired > - Key has been compromised > - Key has been lost >
Well, if the cert changed you could then "verify" the key again with a dialback and reset the cache if you got the same response from the dialback authority. In this scenario SASL EXTERNAL + STARTTLS would be used with trusted CA signed certs (either your own or a public CA) and also cached dialback trusted certs. Of course with caching you have to make sure your key cache is secure. Servers should also allow for a list of untrusted authorities and certs to be administered. I have to say this implementation sounds very useful. JD _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mail.jabber.org/mailman/listinfo/jdev
