On 2/24/09 11:04 AM, Pavel Simerda wrote: > On Tue, 24 Feb 2009 09:14:13 +0000 > Dave Cridland <d...@cridland.net> wrote: > > What I would like... is to have an easy-to-understand and > easy-to-implement piggybacking feature without unnecessary hassle. > >> In fact, by specifying how to do this without actually doing >> dialbacks, but instead by verifying the identity of the sender based >> on the X.509 cert, we can actually get rid of SASL EXTERNAL and just >> use X.509 only, which eliminates the difference between the "first" >> authorization and subsequent ones. > > I don't see any reason to get rid of SASL EXTERNAL. I quite like the > concept of using the same authentication flows for all > authenticated connections. > > It would be nice to be able to authenticate each virtual connection > separately. It's a multiplex, anyway, if one associations fails, others > should remain working.
Right, we need a way to say "once we have a secure connection, we can add new domains". Joe Hildebrand and I have been talking with some of the TLS and SASL people about this. One of these days we'll at least write up the requirements... Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature