[jdev] How to specify username with SASL ANONYMOUS
Peter Saint-Andre
stpeter at stpeter.im
Thu Oct 18 10:29:58 CDT 2007
On Thu, Oct 18, 2007 at 10:19:40AM +0200, Ralph Meijer wrote:
>
> On Wed, 2007-10-17 at 15:48 -0600, Peter Saint-Andre wrote:
> > On Wed, Oct 17, 2007 at 02:40:26PM -0700, Justin Karneges wrote:
> > > On Wednesday 17 October 2007 2:11 pm, Mark Doliner wrote:
> > > > So I've read through XEP-0175[1], and I think I have a pretty good idea of
> > > > how SASL ANONYMOUS login is supposed to work (I love the protocol
> > > > flow--thank you).
> > > >
> > > > But it's not clear to me how the client is supposed to specify a username.
> > > > This is supposed to be possible, right? Or is the node always assigned by
> > > > the server no matter what? Should I just send the base64 encoded username
> > > > as text within the 'auth' element?
> > >
> > > XEP-175 doesn't seem to mention the fact that SASL ANONYMOUS can send data.
> > > The rfc3920bis-04 document even indicates that transmitting an initial
> > > response with ANONYMOUS is is invalid (section 7.5.5). This is wrong,
> > > ANONYMOUS can send data, and it can be an initial response or not. See RFC
> > > 4505.
> > >
> > > The client response for ANONYMOUS is "trace" data. This is just supposed to
> > > be some generic id string, possibly an email address (like how anonymous FTP
> > > would often ask you to put your email address as the password, that's what
> > > this essentially replaces). It might be interesting to specify in XEP-175
> > > that the trace data may be used as a node suggestion.
> >
> > How is ANONYMOUS used right now? Do XMPP servers (1) create a temporary
> > node or (2) create a temporary resource for some anonymous user? I think
> > that (1) is probably a safer approach, in which case it might be nice to
> > specify the "trace" data in version 1.1 of XEP-0175 (and of course correct
> > rfc3920bis while we're at it).
>
> It seems to me that ANONYMOUS is inherently not intended to give a user
> a more or less permanent handle that has part of the user's identity
> encoded in it.
>
> As I see it, the trace data is for allowing administrators to have some
> way to contact the user. The validity of this information is not
> verified and also may cause privacy issues if sent automatically by
> client implementations.
Hmm, that seems correct (yes I contradict myself). As far as I have
seen, anonymous users get full JIDs like <anonymous at example.org/foo>,
where "foo" is some UUID. And I agree with you that in other systems
the trace data is used to provide to provide an ID associated with user
outside the system (similar to providing an email address for anonymous
FTP access in the old days).
Although rfc3920bis is not consistent with RFC 4505 on this point (i.e.,
you can indeed send data), we have not specified any usage for the trace
data in XMPP. Until and unless we do so, I don't think it would be good
to encourage this behavior.
Peter
--
Peter Saint-Andre
https://stpeter.im/
More information about the JDev
mailing list