[Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of SASL EXTERNAL)

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Tue Nov 28 06:53:06 UTC 2006

On Monday 27 November 2006 9:36 pm, XMPP Extensions Editor wrote:
> Version 0.4 of XEP-0178 (Best Practices for Use of SASL EXTERNAL) has been
> released.

Possibly not related to this update, but I don't understand why Section 2, 
Step 10 says: "The client SHOULD NOT include an authorization identity since 
client-to-server authorization in XMPP is handled during resource binding."

That doesn't sound right at all.  Authorization is handled in SASL, not 
resource binding.  Authzid is used by other SASL mechanisms, there's no 
reason EXTERNAL would be different.

This also cleans up Step 11 a little bit.  Case 1 would be modified to accept 
any JID listed in the cert, and Case 2 could be removed (I don't see a reason 
to drag the stream's 'to' attribute into play here).


More information about the Standards mailing list