[JDEV] SASL, deployment and coding

[David Waite]

Matthew Beacher wrote:

> 1) Can the User Registration that is built into SASL be used to join a 
> Jabber Server or must the Jabber Registration system (as stated in 
> http://www.jabber.org/protocol/registration.html ) be used? I ask 
> because SASL has built in registration and authentication, and I am 
> unsure how to tap into the SASL password files. 

AFAIK, SASL does not have user registration, just authentication. You 
may have seen the mechanism registration, which is the procedure for 
having the IANA recognize new authentication mechanisms.

> 2) How felxable should a server be in the order of receved elements? 
> Should a server be hard line on receving elements in the order listed, 
> or should it be more open in the ordering, so long as all required 
> elements are there?

Ordering of child elements within a stanza does not matter in the 
existing namespaces. Please let us know if you see documentation which 
contradicts this :-)

> 3) Has anyone else thought that all servers should require SASL 
> encription level of at least 40 (read 40 bit encription), and that 
> with this there should be an addition to Jabber:Server:DialBack and 
> SASL so that Server to server comunications are encripted, because 
> what is the good of a message that is only encripted some of the time. 

Since you cannot specify a required delivery path or required security 
parameters (read: only on encrypted connections, to servers with a 
certificate signed by a client-trusted CA),  SSL cannot and should not 
be used for end-to-end encryption. There is an informational draft which 
describes how many existing clients use OpenPGP for end-to-end 
encryption, and there are proposals on how to do this with the W3C XML 
Encryption recommendation.

-David Waite