[Standards] XEP-0178: Clarify SASL-EXTERNAL specification when s2s auth fails

Dave Cridland dave at cridland.net
Wed Jul 1 09:53:46 UTC 2020

On Tue, 30 Jun 2020 at 19:59, Holger Weiß <holger at zedat.fu-berlin.de> wrote:

> * Jonas Schäfer <jonas at wielicki.name> [2020-06-30 17:59]:
> > On behalf of the Council, I'd like to bring this pull request to the
> attention
> > of the community:
> >
> > https://github.com/xsf/xeps/pull/963
> Wait, is this PR actually modifying the authentication step it intends
> to change?  I was assuming we're talking about XEP-0178, #3, step 7 (a),
> where the spec tells the receiving server to close the connection if
> initial certificate verification fails.  The PR is instead changing step
> 11 (b), where the receiving server checks the new stream's 'from'
> against the certificate.
I don't think that's the case, but it is certainly unclear.

What it (attempts to, i think) say is that if the authorization identifier
does not match, then...

And it *also* says that the authorization identifier should be taken from
the stream from, and that this ought to match any supplied during the
EXTERNAL exchange itself.

We should probably clarify this text, it *is* unclear, but I don't think
this particular change makes it any less so.

> Holger
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200701/6bb729a0/attachment.html>

More information about the Standards mailing list