[Standards] Re: [Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of SASL EXTERNAL)

Peter Saint-Andre stpeter at jabber.org
Fri Jan 26 18:16:57 UTC 2007

Matthias Wimmer wrote:
> Peter Saint-Andre schrieb:
>>> The other thing is if EXTERNAL has been offered (i.e. TLS was able to
>>> verify the authentication identity), but EXTERNAL failed to authorize
>>> (i.e. the peer tried to authorize as someone he is not allowed to
>>> authorize as), it might be considered as a final authorization failure
>>> causing a stream-close. I am not sure about that one yet.
>> I guess in that case the auth would fail and the client would need to 
>> retry with a different mechanism next time?
> Not sure. That would mean, that if SASL EXTERNAL fails for temporarily 
> reasons, that a server stops using it for future authentication attempts.

No, I mean the server would offer SASL EXTERNAL the next time but the 
client would try a different mechanism. Alternatively, the server could 
return a SASL failure for EXTERNAL but not close the stream, in which 
case the client could try another mechanism. The SASL spec has some text 
about the number of retries a server might allow, and I'll look at that 
again. But right now I am deeply involved in cleaning up the text about 
server dialback in rfc3920bis (don't worry, I'm making no modifications 
to the logic, just better examples and more error flows!).


Peter Saint-Andre
XMPP Standards Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070126/60257171/attachment.bin>

More information about the Standards mailing list