[Standards-JIG] re-authentication

Peter Saint-Andre stpeter at jabber.org
Thu Sep 28 21:51:55 UTC 2006

Matthias Wimmer wrote:
> Hi Peter!
> Peter Saint-Andre schrieb:
>> Section 3.8 of RFC 4422 states:
>>    Unless explicitly permitted in the protocol (as stated in the
>>    protocol's technical specification), only one successful SASL
>>    authentication exchange may occur in a protocol session.
>> Given that XMPP connections can be long-lived (you could be connected
>> for weeks or months!), it seems that we might want to define a way for
>> the server (i.e., receiving entity) to request re-authentication by the
>> initiating entity. (For example, perhaps the X.509 certificate you used
>> while authenticating expires during your session.)
> While I do not know if we need SASL-reauthentication, and currently I do
> not want to give an answer on that ...

Personally I don't think we need it, but I figured I'd raise the issue.
As far as I'm concerned, if the server really cares it could end the
user's session and force a reconnect and re-authentication that way.
Sure, it's not all that elegant, but it gets the job done. :-)

> We do not need SASL reauthentication for the use-case you provided.

Maybe it was a bad example.

> - I do not think that a session gets invalid because of a certificate
>   expiring while the session persists. For me certificate expiration
>   date just means that you cannot authenticate with that certificate
>   afterwards (e.g. because the CA will possibly delete a revocation
>   certificate after that date from the revocation list).
>   Compare it with a bank account. When you open a bank account here in
>   Germany, you have to prove your identity showing your identity card.
>   But once this identity has been proven you do not have to show a new
>   identity card after the old one expired.
> - Using TLS and certificates means we are using the SASL EXTERNAL
>   mechanism. This means SASL did not _authenticate_ the user but just
>   did _authorization_. If you want to re_authenticate_ a user in that
>   case it is not the task of SASL to do this, but the task of TLS.
>   And TLS already has all you need for a reauthentication. It is already
>   possible using TLS+SASL EXTERNAL to rerequest authentication of a
>   client.
> If we are asking, if we should support SASL-reauthentication, I think we
> have to ask, if we want to support changing the _authorization_ identity
> used by one end of a connection. I.e. if we want to support a connection
> to be first used by user1 at example.com, and that connection gets reused
> by user2 at example.com after some time.

Yes, that's re-authorization for sure. But that seems like another very
uncommon use case that we don't need to support.

> BTW: Some time ago I posted to mails to this list about mistakes (I
> think so) in JEP-0178. Is that because I wrote to much, or is it that
> just nobody had comments to it?
> http://mail.jabber.org/pipermail/standards-jig/2006-September/012343.html
> http://mail.jabber.org/pipermail/standards-jig/2006-September/012344.html

I guess I missed them the first time, but they're still in my inbox so
I'll read them soon. :-)


Peter Saint-Andre
Jabber Software Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060928/a5bd8c51/attachment.bin>

More information about the Standards mailing list