A thought: Imagine a server with a self signed certificate. When your server connects to it, it of course would't trust the cert enough to do SASL EXTERNAL, so it falls back to dialback. If dialback is successfully done a few times, while the server presents the same cert, automatically pin it and allow SASL EXTERNAL the next time.
Why: * Encourage more widespread deployment, interop testing of EXTERNAL. * Same with general use of TLS, even with self signed certs. * Security issues would be about the same as with SSH. * I suppose it would help about as much with MITM as dialback does with DNS spoofing? Thougts? -- Kim Alvefur <[email protected]>
signature.asc
Description: This is a digitally signed message part
