[Standards-JIG] re-authentication

Matthias Wimmer m at tthias.eu
Thu Sep 28 21:21:03 UTC 2006

Hi Peter!

Peter Saint-Andre schrieb:
> Section 3.8 of RFC 4422 states:
>    Unless explicitly permitted in the protocol (as stated in the
>    protocol's technical specification), only one successful SASL
>    authentication exchange may occur in a protocol session.
> Given that XMPP connections can be long-lived (you could be connected
> for weeks or months!), it seems that we might want to define a way for
> the server (i.e., receiving entity) to request re-authentication by the
> initiating entity. (For example, perhaps the X.509 certificate you used
> while authenticating expires during your session.)

While I do not know if we need SASL-reauthentication, and currently I do
not want to give an answer on that ...

We do not need SASL reauthentication for the use-case you provided.

- I do not think that a session gets invalid because of a certificate
  expiring while the session persists. For me certificate expiration
  date just means that you cannot authenticate with that certificate
  afterwards (e.g. because the CA will possibly delete a revocation
  certificate after that date from the revocation list).
  Compare it with a bank account. When you open a bank account here in
  Germany, you have to prove your identity showing your identity card.
  But once this identity has been proven you do not have to show a new
  identity card after the old one expired.
- Using TLS and certificates means we are using the SASL EXTERNAL
  mechanism. This means SASL did not _authenticate_ the user but just
  did _authorization_. If you want to re_authenticate_ a user in that
  case it is not the task of SASL to do this, but the task of TLS.
  And TLS already has all you need for a reauthentication. It is already
  possible using TLS+SASL EXTERNAL to rerequest authentication of a

If we are asking, if we should support SASL-reauthentication, I think we
have to ask, if we want to support changing the _authorization_ identity
used by one end of a connection. I.e. if we want to support a connection
to be first used by user1 at example.com, and that connection gets reused
by user2 at example.com after some time.

Tot kijk

BTW: Some time ago I posted to mails to this list about mistakes (I
think so) in JEP-0178. Is that because I wrote to much, or is it that
just nobody had comments to it?

Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4263 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060928/7aa8b89f/attachment.bin>

More information about the Standards mailing list