stpeter at jabber.org
Thu Sep 28 21:51:55 UTC 2006
Matthias Wimmer wrote:
> Hi Peter!
> Peter Saint-Andre schrieb:
>> Section 3.8 of RFC 4422 states:
>> Unless explicitly permitted in the protocol (as stated in the
>> protocol's technical specification), only one successful SASL
>> authentication exchange may occur in a protocol session.
>> Given that XMPP connections can be long-lived (you could be connected
>> for weeks or months!), it seems that we might want to define a way for
>> the server (i.e., receiving entity) to request re-authentication by the
>> initiating entity. (For example, perhaps the X.509 certificate you used
>> while authenticating expires during your session.)
> While I do not know if we need SASL-reauthentication, and currently I do
> not want to give an answer on that ...
Personally I don't think we need it, but I figured I'd raise the issue.
As far as I'm concerned, if the server really cares it could end the
user's session and force a reconnect and re-authentication that way.
Sure, it's not all that elegant, but it gets the job done. :-)
> We do not need SASL reauthentication for the use-case you provided.
Maybe it was a bad example.
> - I do not think that a session gets invalid because of a certificate
> expiring while the session persists. For me certificate expiration
> date just means that you cannot authenticate with that certificate
> afterwards (e.g. because the CA will possibly delete a revocation
> certificate after that date from the revocation list).
> Compare it with a bank account. When you open a bank account here in
> Germany, you have to prove your identity showing your identity card.
> But once this identity has been proven you do not have to show a new
> identity card after the old one expired.
> - Using TLS and certificates means we are using the SASL EXTERNAL
> mechanism. This means SASL did not _authenticate_ the user but just
> did _authorization_. If you want to re_authenticate_ a user in that
> case it is not the task of SASL to do this, but the task of TLS.
> And TLS already has all you need for a reauthentication. It is already
> possible using TLS+SASL EXTERNAL to rerequest authentication of a
> If we are asking, if we should support SASL-reauthentication, I think we
> have to ask, if we want to support changing the _authorization_ identity
> used by one end of a connection. I.e. if we want to support a connection
> to be first used by user1 at example.com, and that connection gets reused
> by user2 at example.com after some time.
Yes, that's re-authorization for sure. But that seems like another very
uncommon use case that we don't need to support.
> BTW: Some time ago I posted to mails to this list about mistakes (I
> think so) in JEP-0178. Is that because I wrote to much, or is it that
> just nobody had comments to it?
I guess I missed them the first time, but they're still in my inbox so
I'll read them soon. :-)
Jabber Software Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards