[Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of SASL EXTERNAL)

Dave Cridland dave at cridland.net
Tue Nov 28 16:48:12 UTC 2006

On Tue Nov 28 05:36:59 2006, XMPP Extensions Editor wrote:
> Version 0.4 of XEP-0178 (Best Practices for Use of SASL EXTERNAL) 
> has been released.

I read this, and a couple of things stand out for me - sufficient for 
me to ask Alexey Melnikov to read it through. I've re-interpreted 
some of his comments, and added some of my own. Mistakes are still my 
own. :-)

1) The server should authenticate the user before offering EXTERNAL. 
Offering EXTERNAL implies that it's already been authenticated by 
some unspecified means. Failure to authenticate via a certificate 
simply means that the server doesn't offer EXTERNAL - it shouldn't 
close the connection simply due to not recognizing the certificate, 
it's essentially the same situation as not having a certificate at 

2) The <auth/> element has to contain some character data, although 
this would typically be an empty response - "=" - for clients, and 
probably servers too. RFC4422 essentially says that clients shouldn't 
make any assumption about how the server will bind an authorization 
identity, so in theory there's an argument for the client explicitly 
specifying its JID here. Alexey commented here that "But I am not 
sure this should be mentioned at all".

3) Resource binding doesn't authorize, as others have pointed out.

4) Alexey spotted that the document's recommended course of action if 
the EXTERNAL mechanism fails is to close the stream - there's no need 
to this, the client might be able to authenticate using a different 

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Standards mailing list