On Jun 14, 2013, at 1:23 PM, Thijs Alkemade <th...@xnyhps.nl> wrote:
> Hello! > > While working on XEP-0178 and XEP-0257 support, I noticed XEP-0178 makes the > distinction between 3 possible scenarios: the certificate contains one, more > than one or zero xmppAddr fields. Depending on the scenario and the authzid > the client wants to use the client must either include the authzid or use "=". IMO... Unless the user desires to assume the identity of another user, the authzid should be empty. If the user simply wants to use their cert (or one of their certs), the user should just use it. The server should be capable of figuring out what JID is associated with the user's certificate. I note that in many deployments this involves various mappings and SANS other than xmppAddr. > > This is the only reason the client would need to understand the certificate > for the user, which increases complexity for a client. No need for the client to parse SANs out of the user's certificate. Just use it and assert no authzid. > The server still needs > to parse the certificate as well, as it needs to validate what the client > sends. Yes. And more to the point... the client should not guess at what JID the server might associate with the cert. > > I don't see any possible downside to the client always sending its desired > authzid, except for maybe ~20 characters of extra data. Because the server might associate a JID other than what the client thinks ought to be associated, a JID for which the user might not have wanted to assume the identity of. > The server can still > do the same checking. I propose clients SHOULD send an authzid, except in case > the certificate contains exactly one xmppAddr field, in which case they MAY > omit the authzid and send "=". Again, authzid is for identity assumption... > Aside from this, I think the following line from 10(c) is self-contradictory: > "only if it desires to be authorized as a JID other than the address specified > during SASL negotiation". This _is_ the SASL negotiation, unless I'm missing > something this is where an authcid needs to be sent. The server determines the user JID from the credentials, in the case of EXTERNAL, from a certificate or other lower level credential. Even in PLAIN, the server is free to drive a JID from PLAIN's credentials. Don't assume SASL authcid == user's JID. > I don't understand where > the client would communicate its desired JID if it uses a certificate with > zero xmppAddr fields and sends "=". The client doesn't communicate the user's JID. It communicates the user's credentials which then the server uses to determine the user's JID. -- Kurt > > Regards, > Thijs
