My apologies for not replying to this one, though I think it's covered elsewhere in this discussion. For completeness:
On Wed, 1 Jul 2020 at 13:28, Philipp Hancke <fi...@goodadvice.pages.de> wrote: > If the receiving server follows the process described in #9 of > https://xmpp.org/extensions/xep-0178.html#s2s > which says that you do the authentication at this point (and then again > in #11) how can external fail? > > If in step 7b, the Initiator (Server1) doesn't include a `from` attribute (which is not conformant to RFC 6120), and in addition either: a) Uses an explicit authorization identity that does not match in the SASL EXTERNAL exchange, or b) Does not provide an authorization identity, and one cannot be derived from the certificate (wildcards, etc). Option (a) used to be quite common, where a certificate for `example.org` was being used additionally by `conference.example.org` for instance, but less so now. The same vintage servers that neglect to provide a `from` attribute also tend to always provide an authorization identifier, so (b) isn't very common at all. > If the receiving server can not authenticate the request its a policy > decision to not offer external and maybe use dialback. > > Am 30.06.20 um 17:59 schrieb Jonas Schäfer: > > Hi list, > > > > (Editor hat on) > > > > On behalf of the Council, I’d like to bring this pull request to the > attention > > of the community: > > > > https://github.com/xsf/xeps/pull/963 > > > > Input from server operators specifically would be welcomed to see if this > > change is in fact desirable or if you can see any issues with that. At > least > > one member of the community has already expressed [1] that they think > this may > > lead to downgrade attacks. > > > > kind regards and thank you, > > Jonas > > > > [1]: > https://mail.jabber.org/pipermail/standards/2020-June/037592.html > > > > > > _______________________________________________ > > Standards mailing list > > Info: https://mail.jabber.org/mailman/listinfo/standards > > Unsubscribe: standards-unsubscr...@xmpp.org > > _______________________________________________ > > > _______________________________________________ > Standards mailing list > Info: https://mail.jabber.org/mailman/listinfo/standards > Unsubscribe: standards-unsubscr...@xmpp.org > _______________________________________________ >
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
