[standards-jig] Advanced authentication

Iain Shigeoka iainshigeoka at yahoo.com
Wed May 8 17:31:03 UTC 2002


On 5/6/02 4:40 PM, "Robert Norris" <rob at cataclysm.cx> wrote:

>> A SASL namespace could be used at the stream layer to auth the stream
>> itself, outside of the realm of the Jabber traffic (much like dialback):
>> 
>> <stream:stream xmlns="jabber:client" xmlns:sasl="http://...sasl">
>> <sasl:sasl status="..."/>
>> ...

I like this approach.  It is very BEEP-ish which I think is good.

> This looks fine, as long as we allow for authentication between two
> entities as well as stream authentication (which shouldn't be a problem
> if we just wrap the SASL stuff in an IQ).

Perhaps we could move iq:auth to this function.

>> This is unifying in that it can be used by S2S and the internal component
>> connections supported by the servers, as well as by clients. Also, for C2S
>> connections it could be used in a way that compliments the existing
>> iq:auth instead of replacing it, where you would use SASL to authorize the
>> client stream, and the iq:auth would associate the resource.

It would be nice to create a unified auth scheme for c2s and s2s.

> Sounds a bit hacky, but it might be a good transition step. Whatever.
> 
>> Just some additional thoughts and discussion :)
> 
> Thanks, I'll go and chew on it some more :)

Robert, don't give up your convictions!  Group think is bad so if you have a
contrary opinion keep plugging it (while keeping an open mind of course).
Debate can only help in creating a good spec.

-iain




More information about the Standards mailing list