[Standards] Kerberos to JID mapping

Joe Hildebrand hildjj at gmail.com
Thu Mar 8 17:58:00 UTC 2007


However, keep in mind that if there are multiple ways of specifying  
the same user identity, they all need to map onto the same JID.  so  
if ghudson at ATHENA.MIT.EDU and ghudson/root at ATHENA.MIT.EDU are really  
names for the same user, they both need to map onto ghudson at mit.edu  
or some such.  A mere blind encoding isn't enough.

On Mar 7, 2007, at 2:50 PM, Mridul wrote:

>
> JID Escaping (http://www.xmpp.org/extensions/xep-0106.html) allows  
> the use of '/', '\', etc in the node of a jid.
> For example, we use this for supporting mailid as the user id for  
> users in some customer deployments.
>
> Regards,
> Mridul
>
> Greg Hudson wrote:
>> At MIT we have an XMPP namespace which corresponds closely to our
>> Kerberos namespace.  We are currently exploring the details of the
>> mapping function from Kerberos authn IDs to XMPP authzids.
>> A Kerberos principal usually looks like ghudson at ATHENA.MIT.EDU, in
>> which case the mapping function is pretty obvious.  But a principal
>> can also look like ghudson/root at ATHENA.MIT.EDU or
>> host/someserver.mit.edu at ATHENA.MIT.EDU.  JID nodes cannot contain
>> slash characters, so a direct mapping is not an option for these
>> multi-component principals.
>> My best understanding is that this mapping is totally a matter of
>> local policy, and any mapping is as good as any other (as long as  
>> it's
>> internally consistent and lives within the character set restrictions
>> of a JID node).  But if there are any standards covering this issue,
>> I'd love to know ahead of time, so that we don't have to make a
>> transition later.  Is my understanding correct?
>> Thanks.
>




More information about the Standards mailing list