2 Jul
2025
2 Jul
'25
11:56 a.m.
Hi all,
I'm currently implementing SASL2 (et al) into Openfire, which is amusing
since I had the first implementation there years ago.
In doing so, I've a few comments, most of which are directed at past-me of
course. Past-me is an idiot, and I have ample evidence of this.
1) One of the changes from the original SASL profile is that there's no
need for (and mention of) the "equals hack" to indicate no data. Should
this be explicitly called out?
2) The user-agent - this is a SHOULD (well, RECOMMENDED, which means the
same thing). The consequences of not including it are that other
specifications might rely on it - the same as the id, which is also SHOULD.
I dislike the amount of SHOULD here, it feels like the "outer" SHOULD is
sufficient, and a user-agent with no id attribute is a bit useless.
3) The id string given MUST be a UUIDv4. What should the server do if it
receives a non-UUID, or a UUID of a different type to v4? A purist might
reject it, but this seems wrong - what guidance can we put here? If we
accept any old string, and it's not a UUIDv4, what happens?
4) Second para of Initiation talks about an authorization string, but
there's no such string defined. Was this intended to mean the requested
authorization identity in the SASL mechanism? That's an interesting
challenge, especially from just the initial-response which might not be
present. I think I follow the intent here, but the detail seems off.
Dave.