[jdev] S2S questions - from attribute and version support
Jacek Konieczny
jajcus at jajcus.net
Fri Jan 6 02:46:35 CST 2006
On Thu, Jan 05, 2006 at 04:22:13PM -0000, Richard Dobson wrote:
> Huh, right to which? Does it open you up to forgery or not, and if TLS is
> enough to prevent forgery on its own then why arnt we just using that on
> its own without SASL?
TLS does authentication only, no authorization. TLS tells us if the
peer we talk to is who he claims to be (the certificates are verified),
but for authorization (deciding if it is the one we want to talk with)
is done via SASL. Implicit authorization just after TLS handshake could
be done, but IMHO it is better to do it in one place, for every XMPP
stream. And some people may want to use other authentication or
authorization method after TLS connection is established. There would be
no way to inform peer about that or tell him why the connection is
broken.
Greets,
Jacek
More information about the JDev
mailing list