[Psi-devel] Some login/sasl questions for 0.11

[Matthias Wimmer]

Sorry I already deleted the posting I am replying.

Concerning the question if establishing a SASL encryption layer should 
be supported inside a connection, that is already protected by a TLS layer:

I think that a SASL encryption layer inside a TLS layer should be supported:
One reason for this would be a server, that wants to be sure, that it is 
really the user, that is on the other side of the connection and there 
is no man-in-the-middle attack taking place. The server cannot relay on 
the TLS layer for this as long as the client does not present its own 
certificate! This is because he does not know if the TLS layer has been 
established by the client at all (or just by the man in the middle which 
told the client that TLS support is not available by the server or the 
client got offered TLS but did not check the certificate).
A auth-conf layer is the only currently available solution for a server 
to know, that there is a secure connection to the client if client 
certificates are not used. Note that even not auth-int is enough for a 
server to know this, as the TLS layer is established before the 
connection is protected by the SASL integrity layer and therefore TLS 
could have been established by the man in the middle before doing SASL 
and telling the Jabber client that TLS is not available. The connection 
is then only protected against the man in the middle injecting or 
removing stanzas, but not from being watched by this man in the middle.



Tot kijk
     Matthias