--- Begin Message ---Sorry I already deleted the posting I am replying. Concerning the question if establishing a SASL encryption layer should be supported inside a connection, that is already protected by a TLS layer:I think that a SASL encryption layer inside a TLS layer should be supported: One reason for this would be a server, that wants to be sure, that it is really the user, that is on the other side of the connection and there is no man-in-the-middle attack taking place. The server cannot relay on the TLS layer for this as long as the client does not present its own certificate! This is because he does not know if the TLS layer has been established by the client at all (or just by the man in the middle which told the client that TLS support is not available by the server or the client got offered TLS but did not check the certificate). A auth-conf layer is the only currently available solution for a server to know, that there is a secure connection to the client if client certificates are not used. Note that even not auth-int is enough for a server to know this, as the TLS layer is established before the connection is protected by the SASL integrity layer and therefore TLS could have been established by the man in the middle before doing SASL and telling the Jabber client that TLS is not available. The connection is then only protected against the man in the middle injecting or removing stanzas, but not from being watched by this man in the middle. Tot kijk Matthias _______________________________________________ psi-devel mailing list [EMAIL PROTECTED] http://lists.affinix.com/listinfo.cgi/psi-devel-affinix.com
--- End Message ---
Forwarding this message to the JDEV list, as I think, that other client
authors might think about this as well.
