On 4/14/11 6:11 AM, Philipp Hancke wrote: > Peter Saint-Andre wrote: >>> s2s step 10 includes the authorization identity, whereas section 9.2.2. >>> in the RFC includes an empty response. >>> Unless we consider that a bug in the RFC we need some kind of handling >>> for using the stream's from attribute in step 11 when the response is >>> empty. >> >> I think it depends. >> >> As in XEP-0220, if the sending domain is authorizing as (e.g.) a >> subdomain such as chat.sender.tld then wouldn't the originating server >> specify that as an authorization identity? Or do we assume that the > > Multiple authentications? > >> 'from' will always match the authorization identity, in which case it's > > That assumption is already there, because the receiving server offers > EXTERNAL only if the 'from' is contained in the certificate.
You're right. >> never necessary to include the authzid? I suppose the latter approach is >> simpler... > > Sure. But that was changed in version 0.0.3 and I don't think we can > "fix" that now nor is there a compelling reason. No, there is no compelling need -- such flexibility might be desirable someday, but we don't design for someday. > I have no objections to adding a fallback to the stream's in s2s step 11 > if the authorization id is empty. IIRC some servers already do that. What is the nature of the fallback? Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
