[Standards] UPDATED: XEP-0257 (Client Certificate Management for SASL EXTERNAL)

Peter Saint-Andre stpeter at stpeter.im
Fri Feb 13 01:58:58 UTC 2009


Alexey Melnikov wrote:
> Peter Saint-Andre wrote:
> 
>> Alexey Melnikov wrote:
>>  
>>
>>> 2). In Section 3 the following text was added:
>>>   
>>>> If the subjectAltName contains a full JID the server MUST force the
>>>> client to use the given resource during resource binding. The client
>>>> is only allowed to use the provided resource name. If a client with
>>>> the same resource name is currently logged in and that client is not
>>>> forced to use that resource name, it SHOULD be logged out by the
>>>> server.
>>>>     
>>> I am not entirely sure what this text is trying to achieve.
>>>   
> Even after Peter's clarification, I don't think I understand what the
> last sentence is saying.
>
> In particular why "that client is not forced to use that resource name"?

So you'll have two kinds of certs: one that is limited to a particular
full JID (let's call it a "full-JID cert") and one that isn't (let's
call it a "bare-JID cert"). If a bare-JID cert is currently logged in
with a full JID that matches a given full-JID cert (e.g., our "TV"
resource), then Dirk is suggesting that the client presenting the
full-JID would have priority and the server would bump the client that
presented a bare-JID cert. So that rule would provide guidance to the
server regarding the alternatives described in Section 8.5.2.2 of
rfc3920bis:

http://xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-08.html#bind-clientsubmit-error-conflict

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20090212/af2adb44/attachment.bin>


More information about the Standards mailing list