[Standards] XEP-0178 1.1rc3

Philipp Hancke fippo at goodadvice.pages.de
Thu Apr 14 12:11:44 UTC 2011

Peter Saint-Andre wrote:
>> s2s step 10 includes the authorization identity, whereas section 9.2.2.
>> in the RFC includes an empty response.
>> Unless we consider that a bug in the RFC we need some kind of handling
>> for using the stream's from attribute in step 11 when the response is
>> empty.
> I think it depends.
> As in XEP-0220, if the sending domain is authorizing as (e.g.) a
> subdomain such as chat.sender.tld then wouldn't the originating server
> specify that as an authorization identity? Or do we assume that the

Multiple authentications?

> 'from' will always match the authorization identity, in which case it's

That assumption is already there, because the receiving server offers 
EXTERNAL only if the 'from' is contained in the certificate.

> never necessary to include the authzid? I suppose the latter approach is
> simpler...

Sure. But that was changed in version 0.0.3 and I don't think we can 
"fix" that now nor is there a compelling reason.

I have no objections to adding a fallback to the stream's in s2s step 11 
if the authorization id is empty. IIRC some servers already do that.


More information about the Standards mailing list