[standards-jig] Advanced authentication

Robert Norris rob at cataclysm.cx
Mon May 6 23:40:25 UTC 2002


> I just had the opportunity to really dig into SASL last week as a result
> of some ongoing IETF discussions, and learning that no matter what we at a
> minimum need to provide a Jabber profile for SASL.

Allright. I'm happy to go with SASL if we're forced to. I wasn't aware
that the IETF was forcing it.

> I suggest that everyone interested at least read RFC 2222, even just the
> first parts, it's pretty short and easy (in comparison to other RFCs).
> I've started writing down my thoughts and simple XML namespace here:
> 
> 	http://home.jeremie.com/sasl.txt

Looks fairly straightforward.

> Anyway, there is the other question of how to use SASL.  It's easy to just
> throw it into it's own IQ, or alternatively make it something that is
> extended to work in the legacy jabber:iq:auth framework.  There is one
> other alternative, and it's one I've been considering in more depth as a
> fully "unifying" possibility.  
> 
> A SASL namespace could be used at the stream layer to auth the stream
> itself, outside of the realm of the Jabber traffic (much like dialback):
> 
> <stream:stream xmlns="jabber:client" xmlns:sasl="http://...sasl">
> <sasl:sasl status="..."/>
> ...

This looks fine, as long as we allow for authentication between two
entities as well as stream authentication (which shouldn't be a problem
if we just wrap the SASL stuff in an IQ).

> This is unifying in that it can be used by S2S and the internal component
> connections supported by the servers, as well as by clients. Also, for C2S
> connections it could be used in a way that compliments the existing
> iq:auth instead of replacing it, where you would use SASL to authorize the
> client stream, and the iq:auth would associate the resource.

Sounds a bit hacky, but it might be a good transition step. Whatever.

> Just some additional thoughts and discussion :)

Thanks, I'll go and chew on it some more :)

Rob.

-- 
Robert Norris                                       GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx                Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20020507/8a62cc11/attachment.sig>


More information about the Standards mailing list