m at tthias.eu
Thu Sep 28 21:21:03 UTC 2006
Peter Saint-Andre schrieb:
> Section 3.8 of RFC 4422 states:
> Unless explicitly permitted in the protocol (as stated in the
> protocol's technical specification), only one successful SASL
> authentication exchange may occur in a protocol session.
> Given that XMPP connections can be long-lived (you could be connected
> for weeks or months!), it seems that we might want to define a way for
> the server (i.e., receiving entity) to request re-authentication by the
> initiating entity. (For example, perhaps the X.509 certificate you used
> while authenticating expires during your session.)
While I do not know if we need SASL-reauthentication, and currently I do
not want to give an answer on that ...
We do not need SASL reauthentication for the use-case you provided.
- I do not think that a session gets invalid because of a certificate
expiring while the session persists. For me certificate expiration
date just means that you cannot authenticate with that certificate
afterwards (e.g. because the CA will possibly delete a revocation
certificate after that date from the revocation list).
Compare it with a bank account. When you open a bank account here in
Germany, you have to prove your identity showing your identity card.
But once this identity has been proven you do not have to show a new
identity card after the old one expired.
- Using TLS and certificates means we are using the SASL EXTERNAL
mechanism. This means SASL did not _authenticate_ the user but just
did _authorization_. If you want to re_authenticate_ a user in that
case it is not the task of SASL to do this, but the task of TLS.
And TLS already has all you need for a reauthentication. It is already
possible using TLS+SASL EXTERNAL to rerequest authentication of a
If we are asking, if we should support SASL-reauthentication, I think we
have to ask, if we want to support changing the _authorization_ identity
used by one end of a connection. I.e. if we want to support a connection
to be first used by user1 at example.com, and that connection gets reused
by user2 at example.com after some time.
BTW: Some time ago I posted to mails to this list about mistakes (I
think so) in JEP-0178. Is that because I wrote to much, or is it that
just nobody had comments to it?
Matthias Wimmer Fon +49-700 77 00 77 70
Züricher Str. 243 Fax +49-89 95 89 91 56
81476 München http://ma.tthias.eu/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4263 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards