[Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of SASL EXTERNAL)

Mridul Mridul.Muralidharan at Sun.COM
Tue Nov 28 10:17:34 UTC 2006


Justin Karneges wrote:
> On Monday 27 November 2006 9:36 pm, XMPP Extensions Editor wrote:
>   
>> Version 0.4 of XEP-0178 (Best Practices for Use of SASL EXTERNAL) has been
>> released.
>>     
>
> Possibly not related to this update, but I don't understand why Section 2, 
> Step 10 says: "The client SHOULD NOT include an authorization identity since 
> client-to-server authorization in XMPP is handled during resource binding."
>
> That doesn't sound right at all.  Authorization is handled in SASL, not 
> resource binding.  

  I dont see what else the client can present ... other than what has
been asserted in the cert already.
The authentication will be as a jid specific to the 'to' in the inbound.
In resource binding stage, if bind is attempted to any other barejid -
error : just like currently if you authenticate as userA and try to bind
as userB.


Regards,
Mridul

> Authzid is used by other SASL mechanisms, there's no 
> reason EXTERNAL would be different.
>
> This also cleans up Step 11 a little bit.  Case 1 would be modified to accept 
> any JID listed in the cert, and Case 2 could be removed (I don't see a reason 
> to drag the stream's 'to' attribute into play here).
>
> -Justin
>   




More information about the Standards mailing list