[Council] XEP-0178

Peter Saint-Andre stpeter at stpeter.im
Wed May 11 15:21:59 UTC 2011


On 5/11/11 9:12 AM, Matthew Wild wrote:
> On 11 May 2011 15:24, Kevin Smith <kevin at kismith.co.uk> wrote:
>> On Wed, May 11, 2011 at 2:52 PM, Kevin Smith <kevin at kismith.co.uk> wrote:
>>> On Wed, May 11, 2011 at 2:46 PM, Peter Saint-Andre <stpeter at stpeter.im> wrote:
>>>> On 5/10/11 6:13 AM, Ralph Meijer wrote:
>>>>> On Tue, 2011-05-10 at 12:18 +0100, Kevin Smith wrote:
>>>>>
>>>>>> 4) Update XEP-0178 (Best Practices for Use of SASL EXTERNAL with
>>>>>> Certificates) with the interim version 1.1rc5
>>>>>>
>>>>>> Everyone to vote onlist  by 11th May (a fortnight).
>>>>>
>>>>> +1
>>>>
>>>> Ralph's is the only position I've seen expressed on XEP-0178. Anyone else?
>>>>
>>>> http://xmpp.org/extensions/tmp/xep-0178-1.1.html
>>>>
>>>> http://xmpp.org/extensions/diff/api/xep/0178/diff/1.0/vs/1.1rc6
>>>
>>> It's on my TODO for the next hour. I'm just cutting it quite close.
>>
> 
> Heh, I've had it open in a browser window for a week...

It's now rc7:

http://xmpp.org/extensions/diff/api/xep/0178/diff/1.0/vs/1.1rc7

>> "If the certificate contains more than one valid XMPP address that
>> corresponds to a registered account on the server (e.g., because the
>> server offers virtual hosting), then the server SHOULD allow
>> authentication and authorization of the JID specified as the
>> authorization identity in the SASL exchange."
>>
>> I *think* you can read that as saying that if I can provide a cert
>> valid for both alice at wonderland.lit and lostgirl at wonderland.lit, if I
>> specify hatter at wonderland.lit in my authzid, the server SHOULD log me
>> in as hatter. Probably needs clarification that it needs to be an
>> authzid that's present in the cert.
>>
> 
> Section 2 part 10 c also looks wrong. If the cert contains no JID,
> then the rest of the paragraph doesn't make much sense, just a minor
> fix I think.

Right. From:

If the client certificate does not contain a JID, then the client MAY
include an authorization identity, but only if it desires to be
authorized as a JID other than the address in the client certificate...

To:

If the client certificate does not contain a JID, then the client MAY
include an authorization identity, but only if it desires to be
authorized as a JID other than the address specified during SASL
negotiation...

> Also, not to block publication, but I think the whole authzid handling
> can be made much simpler. I'll post a summary of my thoughts to
> standards@ "soon".

OK. There's really no huge hurry. I'd like to get this right.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/council/attachments/20110511/52ac9ca3/attachment.bin>


More information about the Council mailing list