Evan Schoenberg of the Adium project pinged offlist regarding the proper behavior for a client to follow if SASL authentication fails using one mechanism but other mechanisms are available. I think a flow like the following makes sense (I ran this by Alexey Melnikov and he concurred).
C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='DIGEST-MD5'>=</auth>
challenge + response etc.
S: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<not-authorized/>
</failure>
C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='PLAIN'/>
Alexey pointed out that we probably need to specify some text like this:
SASL mechanisms MUST be tried in the order of their strength as
perceived by the client (assuming the client has this information).
For example, if the server advertises "PLAIN DIGEST-MD5 GSSAPI" or
"DIGEST-MD5 GSSAPI PLAIN", the client should try GSSAPI first, then
DIGEST-MD5, then PLAIN. The client should also be able to disallow
some mechanisms (e.g. PLAIN).
Peter
--
Peter Saint-Andre
https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
