[Standards] XEP-0178: Clarify SASL-EXTERNAL specification when s2s auth fails

Dave Cridland dave at cridland.net
Sun Aug 2 14:40:36 UTC 2020


My apologies for not replying to this one, though I think it's covered
elsewhere in this discussion. For completeness:

On Wed, 1 Jul 2020 at 13:28, Philipp Hancke <fippo at goodadvice.pages.de>
wrote:

> If the receiving server follows the process described in #9 of
>    https://xmpp.org/extensions/xep-0178.html#s2s
> which says that you do the authentication at this point (and then again
> in #11) how can external fail?
>
>
If in step 7b, the Initiator (Server1) doesn't include a `from` attribute
(which is not conformant to RFC 6120), and in addition either:

a) Uses an explicit authorization identity that does not match in the SASL
EXTERNAL exchange, or
b) Does not provide an authorization identity, and one cannot be derived
from the certificate (wildcards, etc).

Option (a) used to be quite common, where a certificate for `example.org`
was being used additionally by `conference.example.org` for instance, but
less so now. The same vintage servers that neglect to provide a `from`
attribute also tend to always provide an authorization identifier, so (b)
isn't very common at all.


> If the receiving server can not authenticate the request its a policy
> decision to not offer external and maybe use dialback.
>
> Am 30.06.20 um 17:59 schrieb Jonas Schäfer:
> > Hi list,
> >
> > (Editor hat on)
> >
> > On behalf of the Council, I’d like to bring this pull request to the
> attention
> > of the community:
> >
> > https://github.com/xsf/xeps/pull/963
> >
> > Input from server operators specifically would be welcomed to see if this
> > change is in fact desirable or if you can see any issues with that. At
> least
> > one member of the community has already expressed [1] that they think
> this may
> > lead to downgrade attacks.
> >
> > kind regards and thank you,
> > Jonas
> >
> >     [1]:
> https://mail.jabber.org/pipermail/standards/2020-June/037592.html
> >
> >
> > _______________________________________________
> > Standards mailing list
> > Info: https://mail.jabber.org/mailman/listinfo/standards
> > Unsubscribe: Standards-unsubscribe at xmpp.org
> > _______________________________________________
> >
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200802/51b8832b/attachment.html>


More information about the Standards mailing list