I don't know enough about the TLS protocol. Perhaps it allows certificate verification without resulting in any stream encryption? In which case, there might not be any need to define a new protocol.
Thoughts? - Ian
SASL External Auth (as specified in XEP-0178) relies on the TLS layer to
verify X.509 certificates. However, clients connecting using BOSH
(XEP-0124) don't use TLS encryption, they use https:// instead (i.e.,
they do not present a certificate before SASL). I think it might
therefore be useful to define a protocol independent of TLS that enables
X.509 certificate presentation and verification of ownership. The
protocol would be advertised as a stream feature and performed before SASL.
- [Standards] SASL External via X.509 without TLS Ian Paterson
- Re: [Standards] SASL External via X.509 without TLS Dave Cridland
