[Standards] XEP-0225: authentication, authorization, binding

Peter Saint-Andre stpeter at stpeter.im
Fri Feb 29 23:19:19 UTC 2008


Gaston Dombiak and I had a chat this afternoon about XEP-0225 (Component
Connections). Here are our conclusions:

1. The current binding stuff is wrong. We should reserve the term
"binding" for binding resources (as in RFC 3920). The current binding
stuff is a form of authorization, not binding.

2. So we need a way to complete authorization. We talked about ways to
do this in SASL (e.g., authenticate as an initial identity = domain and
then authorize multiple identities after that), but we agreed that (1)
we don't know exactly how that would work in SASL-land and (2) most XMPP
servers probably would not enable you to authorize multiple identities
in one XML stream. Therefore we concluded that a better approach would
be to allow multiple XML streams over the same TCP connection (similar
in some ways to piggybacking for server dialback), so that after
authenticating as foo.example.com you could negotiate a second stream
for bar.example.com and so on. Thus one identity per stream.

3. This leaves binding as a way to bind resources, as Daniel Henninger
and I previously discussed on this list. So the server could bind
multiple resources to foo.example.com for load-balancing or whatever it
wants.

I'll work on revisions to XEP-0225 along these lines soon.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20080229/002f4024/attachment.bin>


More information about the Standards mailing list