Am 19.03.2013 02:49, schrieb Kim Alvefur:
4. Do you have any security concerns related to this specification?
The elevation of any method of domain spoofing to also include possible
interception of outgoing stanzas. Mistakes by, or compromise of a CA,
faulty certificate validation etc might make it possible to do a MITM
without needing to do anything DNS related.
We don't have text about that in 6120 either, have we? Rewording the
second sentence of the security considerations such that both the
unsolicited attack and stupid CAs are covered is easy enough though.
Checking whether the connecting IP is in the set of IPs you would
connect to otherwise might migitate that risk. That could break
http://mail.jabber.org/pipermail/standards/2008-November/020533.html
however, even though i still haven't seen such a setup.
