XSF Discussion - 2022-12-22


  1. Guus

    When reading https://xmpp.org/extensions/xep-0178.html#s2s I am surprised that there is no mention of Server1 validating the certificate of Server2. Am I misreading or misunderstanding things? RFC 6120 13.7.2 seems to suggest that this is a MUST.

  2. Zash

    Orthogonal from EXTERNAL I suppose

  3. Guus

    What do you mean?

  4. Zash

    EXTERNAL is about authenticating with a client certificate.

  5. Zash

    Uh, "server1" and "server2" is confusing.

  6. Guus

    Server1 is the initiator.

  7. Zash

    EXTERNAL implies server2 validates the client certificate sent by server1. The validation in the other direction is not part of EXTERNAL, so I guess it's left out here.

  8. Zash

    RFC 6120 wording on the matter still applies, right? MUST validate the certificate, but there's no negotiation involved. You're supposed to just abort the connection if it doesn't validate, altho Prosody will send a stream error with the reason before it closes the connection.

  9. Guus

    Although it's not part of the SASL authentication bit, leaving out that validation probably makes it really easy to miss that, if someone is following a 'best practices' document.

  10. Zash

    True

  11. Zash

    What does 178 add over just reading the RFC?

  12. Guus

    "Best Practices" suggests that there are other approaches to doing SASL EXTERNAL?

  13. Zash

    Are there?

  14. Guus

    I made my last comment a question, as I am not sure if that's the case.

  15. Zash

    Is it not something of a relic from the times when Dialback was the only thing used?

  16. ralphm

    SASL EXTERNAL basically means: anything goes. If you can authentication based on the phase of the moon, you could. XEP-0178 explains that you can use the TLS certificate as a means to derive authentication.

  17. ralphm

    SASL EXTERNAL basically means: anything goes. If you can authenticate based on the phase of the moon, you could. XEP-0178 explains that you can use the TLS certificate as a means to derive authentication.

  18. Zash

    Well, sure, you could authenticate with "your IP address looks cool" ala SMTP and SPF

  19. Zash

    Guus, you don't happen to be interested in authoring an informational XEP on modern mutual authentication for s2s? :)

  20. ralphm

    Oh nice

  21. Zash

    (please don't actually implement SPF for XMPP)

  22. Guus

    Zash, indeed, I don't happen to be interested. :)

  23. Zash

    Aaaw

  24. Zash

    Something something Direct TLS, SASL EXTERNAL, mTLS, XEP-0288

  25. singpolyma

    SPF would work better for XMPP than it does for SMTP, since we don't do relaying or bouncing

  26. singpolyma

    But probably not r good idea still

  27. Zash

    One step down from Dialback?

  28. singpolyma

    Yeah

  29. Zash

    Note to self: Do not give bad ideas as examples, people keep deploying them.

  30. singpolyma

    Dialback can't really be beat

  31. Zash

    Because it works without certificates, in the horrible world where everything is behind seven layers of reverse proxies?

  32. singpolyma

    Because it's vulnerable only to BGP type spoofing (assuming DNSSEC obvz) and verifies bidirectional connectivity

  33. singpolyma

    I guess strictly speaking dialback+DANE would be even better

  34. ralphm

    :sob:

  35. Zash

    Can haz DANCE?