Evan Schoenberg of the Adium project pinged offlist regarding the proper behavior for a client to follow if SASL authentication fails using one mechanism but other mechanisms are available. I think a flow like the following makes sense (I ran this by Alexey Melnikov and he concurred).
C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='DIGEST-MD5'>=</auth> challenge + response etc. S: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <not-authorized/> </failure> C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'/> Alexey pointed out that we probably need to specify some text like this: SASL mechanisms MUST be tried in the order of their strength as perceived by the client (assuming the client has this information). For example, if the server advertises "PLAIN DIGEST-MD5 GSSAPI" or "DIGEST-MD5 GSSAPI PLAIN", the client should try GSSAPI first, then DIGEST-MD5, then PLAIN. The client should also be able to disallow some mechanisms (e.g. PLAIN). Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature