Hi all, I've been having a think about dialback recently and came to the conclusion that it would be nice to begin discouraging its use on the public network. This would raise the overall quality of authentication on the network by beginning to phase out insecure DNS-based authentication as well as simplify the implementation of certificate based auth by allowing us to only rely on SASL EXTERNAL without having to also implement "dialback without dialing back". Towards that end, I would like to propose deprecating XEP-0220 and XEP-0185.
To decide whether this was a good idea or not, I tried to answer the following questions (this was actually to decide if I wanted to implement it or not, but I think they apply here too): - How widespread is dialback use on the public Jabber network today? - Are there any services that are considered "important" that only support dialback (and what do we mean by "important")? To answer the first I asked in the chat for stats from large public servers. The only respondent was Jabber.FR (thanks Link Mauve) where only 4% of 2034 connections were using dialback. I would be curious if this is representative of the broader network if any other medium-to- large servers want to chime in. For the second I did not end up coming up with a definition of "important", but someone suggested that jabber.org might be considered important and that they thought it had trouble with SASL EXTERNAL. I did not verify this since I don't have a domain setup to do s2s properly right now. If anyone can verify this (and if it's true can verify whether it can be upgraded to support SASL EXTERNAL) please chime in. Thanks for reading, Sam -- Sam Whited _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
