[Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of SASL EXTERNAL)

Matthias Wimmer m at tthias.eu
Tue Nov 28 17:00:56 UTC 2006

Hi Dave!

Dave Cridland schrieb:
> 1) The server should authenticate the user before offering EXTERNAL.
> Offering EXTERNAL implies that it's already been authenticated by some
> unspecified means. Failure to authenticate via a certificate simply
> means that the server doesn't offer EXTERNAL - it shouldn't close the
> connection simply due to not recognizing the certificate, it's
> essentially the same situation as not having a certificate at all.

Exactly - I am trying to explain that for a long time now.

> 4) Alexey spotted that the document's recommended course of action if
> the EXTERNAL mechanism fails is to close the stream - there's no need to
> this, the client might be able to authenticate using a different mechanism.

If TLS certificate verification fails, I agree with you, that there is
no reason to close the stream - just don't offer EXTERNAL (as you
proposed) and check if other authentication methods are available. Only
if no other authentication methods (either SASL, JEP-0078, or Dialback)
are left (or are not acceptable due to local security policy settings)
you should close the stream.

The other thing is if EXTERNAL has been offered (i.e. TLS was able to
verify the authentication identity), but EXTERNAL failed to authorize
(i.e. the peer tried to authorize as someone he is not allowed to
authorize as), it might be considered as a final authorization failure
causing a stream-close. I am not sure about that one yet.

Tot kijk

Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

More information about the Standards mailing list