[Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of SASL EXTERNAL)

Mridul Mridul.Muralidharan at Sun.COM
Tue Nov 28 14:29:52 UTC 2006


Matthias Wimmer wrote:
> Hi Mridul!
>
> I still have to read the modified XEP, but ...
>
> Mridul schrieb:
>   
>>> Possibly not related to this update, but I don't understand why Section 2, 
>>> Step 10 says: "The client SHOULD NOT include an authorization identity since 
>>> client-to-server authorization in XMPP is handled during resource binding."
>>>
>>> That doesn't sound right at all.  Authorization is handled in SASL, not 
>>> resource binding.  
>>>       
>>   I dont see what else the client can present ... other than what has
>> been asserted in the cert already.
>>     
>
> ... what step 10 is about is not what is in the cert, but was is sent in
> the SASL exchange. What the client has in his certificate is not the
> authorization identity, but the authentication identity. (While in the
> SASL exchange it is indeet the authorization identity.)
>
>
> authentication identity:
>     Tells who you are.
>
> authorization identity:
>     Tells as whom you act.
>
> E.g. if you can authenticate as 'admin at example.com' (i.e. you can proove
> by your certificate, that you are this user), you will probably allow to
> authorize as any user of 'example.com' (i.e. login as 'romeo at example.com').
>
> Most modern SASL mechanisms differentiate between these two things - so
> does SASL EXTERNAL. Authentication is done by the external 'thing' (TLS
> in our case), but Authorization is still done by SASL.
>
>   

You are right about differing in authentication and authorization :
hence in normal case, you could authenticate as userA thru SASL and
authorize (bind) as userB.
In this specific context - you already did your auth as userA (through
tls), and the bind for authorization comes at a later stage. SASL
External is just indicating that you want to reuse the auth creds as
negotiated by the underlying tls session and not provide another set of
creds using sasl plain or digest-md5, etc.

Regards
Mridul

> Tot kijk
>     Matthias
>
>   




More information about the Standards mailing list