-
Alex
mail
-
Alex
ups sorry
-
Alex
each message comes twice here with the latest Psi version
-
Zash
stpeter, I've looked at DANE and DNA and stuff. It seems to be all about a client verifying a server that it's connecting to. Do you know if anyone tried dealing with the case where a server wants to auth an incoming client connection? I found some thread on the dane list, but it didn't lead anywhere.
-
stpeter
Zash: by "auth an incoming client connection" do you mean using SASL EXTERNAL and client certificates?
-
Zash
Yes
-
Zash
For s2s connections mainly
-
stpeter
ah, for s2s
-
stpeter
I added a bit of text about that to RFC 6125 IIRC, or maybe it just ended up in RFC 6120
-
Zash
in relation to DANE?
-
stpeter
no
-
stpeter
because DANE didn't exist back then :)
-
Zash
Right
-
stpeter
basically, in s2s each server would handle things mostly in the same way, because the connection needs to be validated in each direction -- hold for URL about some more specific text
-
Zash
The undefined bit seems to be where to look for a TLSA record when you have an incomming connection
-
stpeter
http://xmpp.org/rfcs/rfc6120.html#security-certificates-validation-server
-
stpeter
Zash: right
-
stpeter
Zash: Jeff Hodges and I need to update RFC 6125 to incorporate the thinking from DANE, but it was such a lot of work the first time around that we don't want to open the can of worms again