[Standards] UPDATED: XEP-0257 (Client Certificate Management for SASL EXTERNAL)

Alexey Melnikov alexey.melnikov at isode.com
Thu Feb 12 19:28:33 UTC 2009

XMPP Extensions Editor wrote:

>Version 0.2 of XEP-0257 (Client Certificate Management for SASL EXTERNAL) has been released.
>Abstract: This specification defines a method to manage client certificates that can be used with SASL External to allow clients to log in without a password.
>Changelog: [See revision history] (dm)
>Diff: http://svn.xmpp.org:18080/browse/XMPP/trunk/extensions/xep-0257.xml?%40diffMode=u&%40diffWrap=s&r1=2598&r2=2730&u=3&ignore=&k=
>URL: http://www.xmpp.org/extensions/xep-0257.html
This looks better. Some quick comments:

1). Semantics of "disabling" is not quite clear. In particular, are 
disabled certificates still returned in response to the list request? If 
they are returned, then you need a way to mark them somehow in the list 
response. If they are not returned, then it would be better to call this 
operation "deletion".

2). In Section 3 the following text was added:

> If the subjectAltName contains a full JID the server MUST force the 
> client to use the given resource during resource binding. The client 
> is only allowed to use the provided resource name. If a client with 
> the same resource name is currently logged in and that client is not 
> forced to use that resource name, it SHOULD be logged out by the server.

I am not entirely sure what this text is trying to achieve.

However this brings an interesting question: if the uploaded certificate 
has a JID in the subjectAltName, then I think the JID MUST correspond to 
the user's account for which it was uploaded.

More information about the Standards mailing list