[xmppwg] FW: ANONYMOUS vs. UNIQUE in XMPP

Peter Saint-Andre stpeter at jabber.org
Tue Mar 1 21:13:24 CST 2005


FYI, I have just sent the following message to the SASL list.

Please discuss on the SASL list, not here:

http://www.imc.org/ietf-sasl/

/psa

----- Forwarded message from Peter Saint-Andre <stpeter at jabber.org> -----

From: Peter Saint-Andre <stpeter at jabber.org>
To: ietf-sasl at imc.org
Subject: ANONYMOUS vs. UNIQUE in XMPP

RFC 3920 [1] specifies that after an XMPP client authenticates with an 
XMPP server, it must bind a resource to the XML stream so that XML 
stanzas can be routed to the client. There are really three resource 
binding scenarios:

1. The client specifies a desired resource identifier and the server 
   accepts it.

2. The client specifies a desired resource identifier but the server 
   does not accept it, instead overruling the client and assigning a 
   resource identifier.

3. The client asks the server to assign a resource identifier and the 
   server does so.

No matter which scenario is enacted, at the end of the process the server
informs the client of its full JID (node at domain/resource).

In some deployments of XMPP, it might be helpful for an XMPP server to 
assign a full JID to the client (i.e., not just the resource identifier) 
if it authenticates with SASL ANONYMOUS, and to ensure that the "bare JID"
(node at domain portion) is unique in the context of the domain served by the 
server. The protocol flow is envisioned to be as follows:

1. Client authenticates via SASL ANONYMOUS

   C: <stream:stream 
        xmlns:stream='http://etherx.jabber.org/streams' 
        xmlns='jabber:client' 
        to='example.com' 
        version='1.0'>

   S: <stream:stream 
        xmlns:stream='http://etherx.jabber.org/streams' 
        xmlns='jabber:client' 
        id='c2s_234' 
        from='example.com' 
        version='1.0'>

   S: <stream:features>
        <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
          <mechanism>DIGEST-MD5<mechanism>
          <mechanism>ANONYMOUS<mechanism>
        </mechanisms>
      </stream:features>

   C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
            mechanism='ANONYMOUS'/>

   S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

   C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

[ note: it is recommended for the client to send an empty response ]

   S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
  
2. Server tells entity that resource binding is required

   C: <stream:stream
        xmlns:stream='http://etherx.jabber.org/streams'
        xmlns='jabber:client'
        to='example.com'
        version='1.0'>
  
   S: <stream:stream
          xmlns:stream='http://etherx.jabber.org/streams'
          xmlns='jabber:client'
          id='c2s_345'
          from='example.com'
          version='1.0'>
      <stream:features>
        <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
      </stream:features>

3. Client requests that server create a resource for it

   C: <iq type='set' id='bind_1'>
        <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
      </iq>

4. Server replies with full JID

   S: <iq type='result' id='bind_1'>
        <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
          <jid>somenode at example.com/someresource</jid>
        </bind>
      </iq>

The question arises: if a server assigns unique JIDs as a result of such
a protocol flow, is that overloading the SASL ANONYMOUS mechanism? It has
been suggested that it might be necessary to define a new SASL mechanism
(perhaps named "UNIQUE"), but as far as I can see the protocol flow for
UNIQUE would be indistinguishable from ANONYMOUS, with the only difference
being how the XMPP server handles the resource binding process. However,
we are open to defining a new SASL mechanism if that is deemed necessary.

Feedback welcome.

/psa

NOTES

[1] http://www.ietf.org/rfc/rfc3920.txt
[2] http://www.ietf.org/internet-drafts/draft-ietf-sasl-anon-05.txt


----- End forwarded message -----



More information about the xmppwg mailing list