On Tue Apr 14 17:07:41 2009, Peter Saint-Andre wrote:
Dialback is not an authentication protocol.
I have no idea what else it is.
Dialback might not be a terribly secure authentication mechanism, but
the intent is to verify an identity assertion, for use as the basis
for authorization, and if that's not an authentication mechanism I
have no idea how else to describe it.
FWIW, I'm not sure there's any such thing as an authorization
protocol, since the act of authorization is almost by definition an
internal matter. (Although policy query services would probably
count).
> [snip]
>> It's still not clear to me what TLS+dialback really means. If
you're
>> going to do TLS, use real certs and then you can do
authentication
>> via SASL EXTERNAL.
>
> SASL EXTERNAL is a non-starter in the public network.
That's an assertion not necessarily backed up by evidence. I am not
convinced that TLS + EXTERNAL is a non-starter on the public XMPP
network, but then again I help to run a CA that issues free domain
certificates for that network (visit http://xmpp.org/ca/ to get
yours
today). I think we can say that TLS + EXTERNAL has not been widely
adopted, but that doesn't mean it never will be widely adopted. It
all
depends on what threats people perceive. If the costs of getting a
domain cert start to be less than the costs of unsecured federation,
then people will start to use certificates.
I'd readily agree here, with the caveat that it's the X.509 that's
seeing quite successful deployment by the usual standards. In fact,
if you compare the XMPP network to the HTTP one, and consider the
proportion of XMPP servers deploying routine TLS with a CA-signed
certificate, to the proportion of HTTP servers even offering any TLS
at all, I think XMPP is looking remarkably good.
But Philip's right that we could never mandate CA-signed
certificates, we can merely recommend strongly that servers obtain
one - to mandate them and pretend that dialback does not exist would
be burying our heads in the sand to an extraordinary degree.
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
