[Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of SASL EXTERNAL)

Matthias Wimmer m at tthias.eu
Tue Nov 28 12:36:09 UTC 2006

Hi Mridul!

I still have to read the modified XEP, but ...

Mridul schrieb:
>> Possibly not related to this update, but I don't understand why Section 2, 
>> Step 10 says: "The client SHOULD NOT include an authorization identity since 
>> client-to-server authorization in XMPP is handled during resource binding."
>> That doesn't sound right at all.  Authorization is handled in SASL, not 
>> resource binding.  
>   I dont see what else the client can present ... other than what has
> been asserted in the cert already.

... what step 10 is about is not what is in the cert, but was is sent in
the SASL exchange. What the client has in his certificate is not the
authorization identity, but the authentication identity. (While in the
SASL exchange it is indeet the authorization identity.)

authentication identity:
    Tells who you are.

authorization identity:
    Tells as whom you act.

E.g. if you can authenticate as 'admin at example.com' (i.e. you can proove
by your certificate, that you are this user), you will probably allow to
authorize as any user of 'example.com' (i.e. login as 'romeo at example.com').

Most modern SASL mechanisms differentiate between these two things - so
does SASL EXTERNAL. Authentication is done by the external 'thing' (TLS
in our case), but Authorization is still done by SASL.

Tot kijk

Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

More information about the Standards mailing list