[Standards] Correction to 3290bis4

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Fri Nov 2 18:22:50 UTC 2007

On Friday 02 November 2007 1:44 am, Alexey Melnikov wrote:
> Peter Saint-Andre wrote:
> >Toly Menn wrote:
> >>Also, section 7.3.4 indicates that the receiving end of the
> >>connection SHOULD allow at least 2 and no more then 5 retries from
> >>the abort.  Does this make sense for s2s connections?  EXTERNAL
> >>mechanism?
> >
> >That rule (which IIRC we borrowed from RFC 4422) may not make sense for
> >all SASL mechanisms or for s2s connections.
> Agreed.
> >However, for c2s connections
> >it may make sense for SASL EXTERNAL because end users can have multiple
> >certificates (I know I do).
> As a side note: how do you select a particular certificate using SASL
> EXTERNAL? Are you using different authorization identity in a hope that
> the server end will match it against the correct client certificate.

You don't select a particular certificate, you select a particular identity 
from that certificate.  Suppose you could three JIDs in a cert, and you 
present that cert during the TLS negotiation.  The authzid used during SASL 
EXTERNAL allows you to pick which identity to act as.  Thus, retrying with 
EXTERNAL is useful for people with certificates that contain many identities.  
However, it is not useful for people who have multiple certificates.


More information about the Standards mailing list