On Tue, 30 Jun 2020 at 19:46, Kim Alvefur <[email protected]> wrote:
> This does result in a number of different possible configurations. Not
> great for something security related. Personally I hope we might be able
> to phase out Dialback in the future. Today, largely thanks to Let's
> Encrypt, more and more servers have valid certificates. So, the Dialback
> code paths are more and more disused.
>
> My own server requires valid certificates and this is mosly an issue
> with certain XSF members (you know who you are). As a bonus, many
> unmaintained certificates with expired certificates that I am unable to
> establish s2s with appear to be sources of spam, which I am spared from.
Getting rid of the dialback syntax entirely depends on whether we want to
get rid of S2S multiplexing ("Piggybacking") or not. Also XEP-0288 depends
on the dialback syntax.
FWIW, there are deployments around which - for sensible reasons - do not
use TLS at all, and having dialback is a useful way of
providing authentication without TLS, though it's not clear to me they need
even the security of the actual dialback token verification.
Dave.
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
