Re: [Standards] SASL EXTERNAL (XEP-0178) and client awkwardness

2013-08-15 Thread Dave Cridland
On Thu, Aug 15, 2013 at 8:47 PM, Thijs Alkemade wrote: > Both the server's and the client's certificate are sent in plain during the > handshake. This means that any id-on-xmppAddr attribute, common name field > or > any other personal info on the certificate will be visible to any passive > obse

Re: [Standards] SASL EXTERNAL (XEP-0178) and client awkwardness

2013-08-15 Thread Thijs Alkemade
On 20 jun. 2013, at 05:14, Peter Saint-Andre wrote: > > >> So when we wrote XEP-0178 this was fairly vague, but the upshot > >> is that it probably needs some revision: > >> > >> 1) The right way to specify the jid you're expecting to become is > >> by using the from attribute of the stream.

Re: [Standards] SASL EXTERNAL (XEP-0178) and client awkwardness

2013-06-19 Thread Peter Saint-Andre
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/15/13 4:05 AM, Thijs Alkemade wrote: > > On 14 jun. 2013, at 23:10, Dave Cridland wrote: > >> On Fri, Jun 14, 2013 at 9:23 PM, Thijs Alkemade > > wrote: >> >> I don't see any possible downside to the client always sendin

Re: [Standards] SASL EXTERNAL (XEP-0178) and client awkwardness

2013-06-15 Thread Thijs Alkemade
On 14 jun. 2013, at 23:10, Dave Cridland wrote: > On Fri, Jun 14, 2013 at 9:23 PM, Thijs Alkemade wrote: > I don't see any possible downside to the client always sending its desired > authzid, except for maybe ~20 characters of extra data. The server can still > do the same checking. I propose c

Re: [Standards] SASL EXTERNAL (XEP-0178) and client awkwardness

2013-06-14 Thread Dave Cridland
On Fri, Jun 14, 2013 at 10:24 PM, Kurt Zeilenga wrote: > > On Jun 14, 2013, at 2:10 PM, Dave Cridland wrote: > > Obviously if the same name was used in both places, this was the same as > not requesting Proxy Auth. > > > Actually, not necessarily so. > > Note the even where the credentials do con

Re: [Standards] SASL EXTERNAL (XEP-0178) and client awkwardness

2013-06-14 Thread Kurt Zeilenga
On Jun 14, 2013, at 2:10 PM, Dave Cridland wrote: > Obviously if the same name was used in both places, this was the same as not > requesting Proxy Auth. Actually, not necessarily so. Note the even where the credentials do contain an authzid, it's in the mechanism's name space whereas the au

Re: [Standards] SASL EXTERNAL (XEP-0178) and client awkwardness

2013-06-14 Thread Kurt Zeilenga
Basically, my recommendation is, clients should generally not assert an authzid. The exception is when the user specifically requests the client to do so, whether for identity assumption or to authenticate to some server which might use it to select between multiple possible accounts for the s

Re: [Standards] SASL EXTERNAL (XEP-0178) and client awkwardness

2013-06-14 Thread Dave Cridland
On Fri, Jun 14, 2013 at 9:23 PM, Thijs Alkemade wrote: > I don't see any possible downside to the client always sending its desired > authzid, except for maybe ~20 characters of extra data. The server can > still > do the same checking. I propose clients SHOULD send an authzid, except in > case >

Re: [Standards] SASL EXTERNAL (XEP-0178) and client awkwardness

2013-06-14 Thread Kurt Zeilenga
On Jun 14, 2013, at 1:23 PM, Thijs Alkemade wrote: > Hello! > > While working on XEP-0178 and XEP-0257 support, I noticed XEP-0178 makes the > distinction between 3 possible scenarios: the certificate contains one, more > than one or zero xmppAddr fields. Depending on the scenario and the auth