I'm currently implementing SASL2 (et al) into Openfire, which is amusing since I had the first implementation there years ago.

In doing so, I've a few comments, most of which are directed at past-me of course. Past-me is an idiot, and I have ample evidence of this.

1) One of the changes from the original SASL profile is that there's no need for (and mention of) the "equals hack" to indicate no data. Should this be explicitly called out?

2) The user-agent - this is a SHOULD (well, RECOMMENDED, which means the same thing). The consequences of not including it are that other specifications might rely on it - the same as the id, which is also SHOULD. I dislike the amount of SHOULD here, it feels like the "outer" SHOULD is sufficient, and a user-agent with no id attribute is a bit useless.

3) The id string given MUST be a UUIDv4. What should the server do if it receives a non-UUID, or a UUID of a different type to v4? A purist might reject it, but this seems wrong - what guidance can we put here? If we accept any old string, and it's not a UUIDv4, what happens?

4) Second para of Initiation talks about an authorization string, but there's no such string defined. Was this intended to mean the requested authorization identity in the SASL mechanism? That's an interesting challenge, especially from just the initial-response which might not be present. I think I follow the intent here, but the detail seems off.

Dave.