On 2008-02-26 00:55, Dave Cridland wrote:
I usually hate receiving responses like this one, but they're
nonetheless true:
The great StartTLS vs special-socket debate was over something like 10
years ago - possibly more, actually. Even in protocols which don't offer
the server id negotiation prior to TLS, as in XMPP, there are other
benefits, and these are, IIRC, documented in RFC 2595. Reopening this
debate is going to frustrate you, and annoy other people.
I strongly disagree with that statement, and I could equally state that
the "debate is over" and resolved against STARTTLS; in fact, I've
already presented argument for this. This started with the question "why
STARTTLS?" and so far, the response has been, "Because." If you think
the debate is over, surely you can do better.
RFC 2595 defines STARTTLS for a couple of protocols. It doesn't dispense
with the debate; on the contrary, it is loaded with additional
requirements for server and client behavior just for the purpose of
protecting credentials where STARTTLS is used.
I spend entirely too much time trying to protect credentials in
STARTTLS-based protocols. Anyone in the position of actually trying to
keep clients from sending credentials in the clear fully understands the
dramatic inferiority of STARTTLS. If all code were perfect, maybe this
would be less so. Reality is that a lot of people (perhaps most) write
crap code.
Encrypt first; ask questions later. People who don't understand this
don't frustrate or annoy me--I just don't think much of them.
There is an advantage to socket based TLS, however, which is usually
overlooked - it's fewer round-trips. We'll hopefully address this in due
course on standards@, though.
If the protocol provided certificate CN prenegotiation there would be at
least *one* argument in favor of using STARTTLS. If, as you say, XMPP
provides no such capability, then it's a no-brainer that STARTTLS is the
WRONG approach. I know you hate receiving responses like these, but they
are nonetheless true.
--
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
"Never try to retrieve anything from a bear."--National Park Service