[Standards] RFC 3920, 10.2/10.3: subdomain routing rules

[Bruce Campbell]

On Wed, 28 Mar 2007, Ralph Meijer wrote:

> On Wed, 2007-03-28 at 09:42 +0000, Dave Cridland wrote:
>> On Tue Mar 27 20:53:33 2007, Peter Saint-Andre wrote:
>>> Bruce Campbell wrote:
>>>>  9.1.2 From
>>>>
>>>>     Furthermore, the domain identifier portion of the JID
>>>> contained in
>>>>     the 'from' attribute MUST match the hostname of the sending
>>>> server
>>>>     (or any validated domain thereof, such as a validated domain
>>>>     hosted by the sending server) as communicated in the SASL
>>>>     negotiation, dialback negotiation or other means;
>>>                                         ^^^^^^^^^^^^^^
>>> What might those other means be?
>>
>> I think Bruce's (sensible) intention is to leave the door open for
>> other methods as yet unspecified. DNS-SEC might be one such option, I
>> suppose, although I'm not entirely sure. Text as-is looks good to me.

Actually, I wasn't sure how to properly describe the addition of an 
additional (validated) domain via C.4-style piggybacking, as it isn't 
quite SASL or dialback negotiation.  Intent is certainly to avoid 
a future restriction on how (local or remote) domains become 'validated' 
to the local server/router.

Could even be pared down to:

      Furthermore, the domain identifier portion of the JID contained in
      the 'from' attribute MUST match one of the valid domains of the
      sending server as previously communicated.

[seperate topic]

> Actually I think that using DNS-SEC as a source for authentication would
> be in combination with SASL EXTERNAL, just like how we now use TLS
> certs. I'm not sure if you need to explicitly mention alternates.

DNSSEC ensures that the answer you got is correct.  TLS ensures that the 
connection you made is to the correct host (and does feel-good stuff like 
encrypting the connection).

-- 
   Bruce Campbell.