[Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of
SASL EXTERNAL)
Dave Cridland
dave at cridland.net
Tue Nov 28 10:48:12 CST 2006
On Tue Nov 28 05:36:59 2006, XMPP Extensions Editor wrote:
> Version 0.4 of XEP-0178 (Best Practices for Use of SASL EXTERNAL)
> has been released.
I read this, and a couple of things stand out for me - sufficient for
me to ask Alexey Melnikov to read it through. I've re-interpreted
some of his comments, and added some of my own. Mistakes are still my
own. :-)
1) The server should authenticate the user before offering EXTERNAL.
Offering EXTERNAL implies that it's already been authenticated by
some unspecified means. Failure to authenticate via a certificate
simply means that the server doesn't offer EXTERNAL - it shouldn't
close the connection simply due to not recognizing the certificate,
it's essentially the same situation as not having a certificate at
all.
2) The <auth/> element has to contain some character data, although
this would typically be an empty response - "=" - for clients, and
probably servers too. RFC4422 essentially says that clients shouldn't
make any assumption about how the server will bind an authorization
identity, so in theory there's an argument for the client explicitly
specifying its JID here. Alexey commented here that "But I am not
sure this should be mentioned at all".
3) Resource binding doesn't authorize, as others have pointed out.
4) Alexey spotted that the document's recommended course of action if
the EXTERNAL mechanism fails is to close the stream - there's no need
to this, the client might be able to authenticate using a different
mechanism.
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards-JIG
mailing list