Hi, Remko Tronçon;6008 Wrote: > > Maybe it would help if your post would have been a lot shorter (I > think you could have asked the same in 15 lines of text). >
Sorry about this. Maybe I always try to explain too much because I am not native English speaker. And also I prefered to quote the examples from the XMPP stream from which I wondered these questions. > > Another thing that would help is not post this to security, but to > standards, > as this is about stream setup in general, not about security. > Yes I was wondering if it was really the right mailing list. But as it was dealing about TLS and SASL methods advertized in the stream features, I thought... I was wrong so... > > - Compression disappearing after TLS negotiation indeed sounds like a > bad setup/bug. > So jabber.org is bugged. Is it to be fixed in the administration, or is it a software bug (ejabberd compression feature)? I will see with Process One maybe if they think the issue is from ejabberd then. > > - In general, features disappearing (e.g. starttls disappearing after > compression negotiation) or appearing (e.g. PLAIN authentication > appearing after tls has been negotiated) are valid and useful. > I agree, so that for instance, you accept PLAIN authentication only in a TLS-encrypted stream when TLS is optional, for a better security. > > - Why post non-required features when there are other required > features? You may want to first negotiate other (optional) things > before you start with the required layers? I can't think of a > practical scenario from the top of my head, though. > Yes... I don't see any either. And for the SASL mechanisms sent when TLS is mandatory, I don't see the interest, as anyway authentication cannot happen before TLS negotiation. For my own, the gmail.com case which I have quoted has not much consistency for instance (showing some SASL mechanisms, but not all). Thanks for the answers. Regards, Jehan -- Jehan ------------------------------------------------------------------------ Jehan's Profile: http://www.jabberforum.org/member.php?userid=16911 View this thread: http://www.jabberforum.org/showthread.php?t=1308
