[jdev] SASL EXTERNAL for s2s in jabberd14
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Fri Nov 4 17:59:13 CST 2005
On Friday 04 November 2005 15:22, Matthias Wimmer wrote:
> If there is no from attribute, I offer SASL EXTERNAL whenever I can
> verify the certificate to be valid, doesn't matter for which identity it
> is valid.
> If there is a from attribute, I make the same checks as if there is no
> from attribute, but in addition I check if the content of the from
> attribute (after stringprep) matches one of the identities in the
> certificate (after stringprep).
>
> With SASL EXTERNAL the client sends the authorization identity in the
> initial response (base64 encoded as CDATA in the <auth/> element). At
> that point I recheck the certificate, if it contains the authorization
> identity and authenticate and authorize this ID (even if it differs from
> the domain sent in the from attribute).
Since the authzid overrides the from attribute, what is the purpose of using
the from attribute at all? What problem are you solving with this
mini-optimization?
-Justin
More information about the JDev
mailing list