On 6/22/12 10:48 AM, Todd Herman wrote: > We are currently looking into implementing serverless messaging. The > specification (and the XMPP: The Definitive Guide) both mention that > serverless messaging does not use SASL or TLS by default so it isn’t > secure. Has anyone looked into an appropriate way to implement this > functionality? I get TLS but I am a little confused by SASL since it > would require having user names and passwords stored which seems to > almost contradict the point of serverless messaging.
SASL is a generalized authentication framework and is not tied to usernames and passwords. One approach would be to use client certificates -- thus you'd present those certs during TLS negotiation and just reference them using SASL EXTERNAL during SASL negotiation. Peter -- Peter Saint-Andre https://stpeter.im/
