[Council] XEP-0178 (was: Re: Minutes 2011-04-27)

Matthew Wild matthew at prosody.im
Wed May 11 15:12:37 UTC 2011


On 11 May 2011 15:24, Kevin Smith <kevin at kismith.co.uk> wrote:
> On Wed, May 11, 2011 at 2:52 PM, Kevin Smith <kevin at kismith.co.uk> wrote:
>> On Wed, May 11, 2011 at 2:46 PM, Peter Saint-Andre <stpeter at stpeter.im> wrote:
>>> On 5/10/11 6:13 AM, Ralph Meijer wrote:
>>>> On Tue, 2011-05-10 at 12:18 +0100, Kevin Smith wrote:
>>>>
>>>>> 4) Update XEP-0178 (Best Practices for Use of SASL EXTERNAL with
>>>>> Certificates) with the interim version 1.1rc5
>>>>>
>>>>> Everyone to vote onlist  by 11th May (a fortnight).
>>>>
>>>> +1
>>>
>>> Ralph's is the only position I've seen expressed on XEP-0178. Anyone else?
>>>
>>> http://xmpp.org/extensions/tmp/xep-0178-1.1.html
>>>
>>> http://xmpp.org/extensions/diff/api/xep/0178/diff/1.0/vs/1.1rc6
>>
>> It's on my TODO for the next hour. I'm just cutting it quite close.
>

Heh, I've had it open in a browser window for a week...

> "If the certificate contains more than one valid XMPP address that
> corresponds to a registered account on the server (e.g., because the
> server offers virtual hosting), then the server SHOULD allow
> authentication and authorization of the JID specified as the
> authorization identity in the SASL exchange."
>
> I *think* you can read that as saying that if I can provide a cert
> valid for both alice at wonderland.lit and lostgirl at wonderland.lit, if I
> specify hatter at wonderland.lit in my authzid, the server SHOULD log me
> in as hatter. Probably needs clarification that it needs to be an
> authzid that's present in the cert.
>

Section 2 part 10 c also looks wrong. If the cert contains no JID,
then the rest of the paragraph doesn't make much sense, just a minor
fix I think.

Also, not to block publication, but I think the whole authzid handling
can be made much simpler. I'll post a summary of my thoughts to
standards@ "soon".

Regards,
Matthew


More information about the Council mailing list