[xmppwg] SASL Issues

Tony Hansen tony at att.com
Thu Oct 31 19:58:17 CST 2002


One thing I noticed when reading the latest XMPP spec with respect to 
SASL, is that it doesn't hande well SASL mechanisms that start their 
negotiation exchange from the client side.

The current SASL specs (in progress) encorage profiles to include an 
optional parameter when the mechanism is chosen:

    from draft-myers-saslrev-02.txt:
    ... a protocol definition MUST supply the following information: ...

    2. A definition of the command to initiate the authentication
       protocol exchange.  This command must have as a parameter the name
       of the mechanism being selected by the client.

       The command SHOULD have an optional parameter giving an initial
       response.  This optional parameter allows the client to avoid a
       round trip when using a mechanism which is defined to have the
       client send data first.  When this initial response is sent by the
       client and the selected mechanism is defined to have the server
       start with an initial challenge, the command fails.  See section
       6.1 of this document for further information.

For SASL mechanisms that start their exchange with a client string, 
without this optional parameter, a round trip must be wasted for the 
server to respond with an empty challenge before they can finally start.

I suggest changing the SASL mechanism selection from this example in 
section 5.1.2:

	Step 4: Node selects an authentication mechanism:

	   <sasl:auth>DIGEST-MD5</sasl:auth>

to

	Step 4: Node selects an authentication mechanism:

	   <sasl:auth><mechanism>DIGEST-MD5</mechanism></sasl:auth>

If the mechanism contains an initial challenge, it would look like

	Step 4: Node selects an authentication mechanism:

	   <sasl:auth><mechanism>OTP</mechanism>
		<sasl:response>
			dXNlcm5hbWU9InJvYiIscmVhbG09ImNhdGFjbHl
		</sasl:response>
	   </sasl:auth>

Section 5.1.1 would have a corresponding change, something like this:

    o  Node selects a mechanism by sending a <sasl:auth/> element to the
       host with the mechanism specified by the character data within
       <mechanism/>; this element MAY also optionally contain an initial
       client response as the character data within a <sasl:response/>
       (if the mechanism sends an initial response).

The DTD and schema need changing too.

I think those are all the needed changes.

	Tony Hansen
	tony at att.com




More information about the xmppwg mailing list