Simon Wilkinson wrote: > I'm interested in what people feel the 'correct' approach is to the > following situation. > > XMPP (the 'Jabber' protocol) uses DNS SRV records to determine the > location of a Jabber service for a given DNS domain. In some > implementations there may be multiple servers, running on multiple > different machines, all of which can accept an incoming connection. > In current Jabber (and MIT Kerberos) implementations, the service > principal used for the SASL/GSSAPI/Kerberos connection is the canonical > version of the hostname returned from the results of the SRV query. > > This is obviously bad, as the use of an insecure directory service (DNS) > to perform both of these lookups presents an opportunity for a MITM > attack. Worse is a current proposal that the server should be able to > tell the client the principal name to use. > > So, for a Jabber connection to 'example.org', should we connecting to > the service principal 'xmpp/example.org'? But, how does this work where > 'example.org' is providing multiple XMPP servers - should they all have > a copy of the same key material, and does this present further concerns? > > Cheers, > > Simon.
What we want in this case is the use of Domain-based Service Names as described in draft-ietf-kitten-gssapi-domain-based-names-01.txt draft-ietf-kitten-krb5-gssapi-domain-based-names-01.txt Please review the drafts and send any feedback you may have to the Kitten WG and Kerberos WG mailing lists. Jeffrey Altman ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
