[Standards] UPDATED: XEP-0257 (Client Certificate Management for SASL EXTERNAL)

Alexey Melnikov alexey.melnikov at isode.com
Thu Feb 12 22:53:01 UTC 2009


Peter Saint-Andre wrote:

>Alexey Melnikov wrote:
>  
>
>>2). In Section 3 the following text was added:
>>    
>>
>>>If the subjectAltName contains a full JID the server MUST force the
>>>client to use the given resource during resource binding. The client
>>>is only allowed to use the provided resource name. If a client with
>>>the same resource name is currently logged in and that client is not
>>>forced to use that resource name, it SHOULD be logged out by the server.
>>>      
>>>
>>I am not entirely sure what this text is trying to achieve.
>>    
>>
Even after Peter's clarification, I don't think I understand what the 
last sentence is saying.
In particular why "that client is not forced to use that resource name"?

>As I understand it from talking with Dirk at the XMPP Summit, this text
>is trying to achieve lockdown of resource identifiers. So for instance I
>could say that the full JID for a certificate is "me at myserver.tld/TV"
>(my set-top box) and another is "me at myserver.tld/DVR" (my digital video
>recorder) or whatever. My DVR can't log in as my TV and my TV can't log
>in as my DVR. You could think of these as "user" accounts with few
>permissions, whereas an "admin" account could log in as any of those
>resources. But probably Dirk can explain it more accurately.
>  
>
I think some text like what you describe would make the document better.

>>However this brings an interesting question: if the uploaded certificate
>>has a JID in the subjectAltName, then I think the JID MUST correspond to
>>the user's account for which it was uploaded.
>>    
>>
>Certainly.
>  
>
I think this statement is missing.




More information about the Standards mailing list