As I understand it, the way dial-back works, you can make multiple 's2s' connections via a single dial-back session. IIRC, you just send the dial-back auth token down the existing connection and it adds the new server as a valid endpoint.
With swapping to certs (and I assume SASL external?) does that mean one connection for every s2s connection - i.e. no piggybacking? I doubt that any arbitary hostname is allowed to be authorised, so I assume it would just be the id-on-xmppAddr's in the subjectAltName field? If all id-on-xmppAddr's are authorised, implementors need to be careful that hostname poisoning is not allowed. i.e. check that the dns entry matches the same ip/port of the existing connection, before checking the id-on-xmppAddr's on the already establised connection. -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/
