Peter Saint-Andre wrote:
s2s step 10 includes the authorization identity, whereas section 9.2.2.
in the RFC includes an empty response.
Unless we consider that a bug in the RFC we need some kind of handling
for using the stream's from attribute in step 11 when the response is
empty.
I think it depends.
As in XEP-0220, if the sending domain is authorizing as (e.g.) a
subdomain such as chat.sender.tld then wouldn't the originating server
specify that as an authorization identity? Or do we assume that the
Multiple authentications?
'from' will always match the authorization identity, in which case it's
That assumption is already there, because the receiving server offers
EXTERNAL only if the 'from' is contained in the certificate.
never necessary to include the authzid? I suppose the latter approach is
simpler...
Sure. But that was changed in version 0.0.3 and I don't think we can
"fix" that now nor is there a compelling reason.
I have no objections to adding a fallback to the stream's in s2s step 11
if the authorization id is empty. IIRC some servers already do that.
philipp
