1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-11-24 10:12:19 -05:00
git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@230 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Peter Saint-Andre 2006-11-28 03:05:50 +00:00
parent a5ac589767
commit 9598e79416

View File

@ -22,6 +22,12 @@
<shortname>N/A</shortname>
&stpeter;
&pgmillard;
<revision>
<version>0.4</version>
<date>2006-11-27</date>
<initials>psa</initials>
<remark><p>Modified XMPP address encapsulation methods per rfc3920bis; clarified conditions for certificates to be considered acceptable.</p></remark>
</revision>
<revision>
<version>0.3</version>
<date>2006-09-21</date>
@ -116,7 +122,7 @@
<p>Server validates certificate.</p>
<ol>
<li>
<p>If certification authority is untrusted or certificate has been revoked, server closes client's TCP connection.</p>
<p>If certificate is unacceptable (e.g., because the certificate has been revoked, because the certificate has expired, or because the root certificate was issued by a certification authority that is untrusted), server closes client's TCP connection.</p>
</li>
<li>
<p>Else server completes successful TLS negotiation and client initiates a new stream header to server.</p>
@ -164,7 +170,7 @@
<p>Server determines whether to allow authenticatation of user.</p>
<ol>
<li>
<p>If the certificate presented by the client contains only one valid XMPP address <note>A valid XMPP address is a JID encapsulated as a subjectAltName with an ASN.1 Object Identifier of "id-on-xmppAddr" (which is equivalent to the dotted display format of "1.3.6.1.5.5.7.8.5").</note> that corresponds to a registered account on the server, the server SHOULD allow authentication of that JID.</p>
<p>If the certificate presented by the client contains only one valid XMPP address that corresponds to a registered account on the server, the server SHOULD allow authentication of that JID. For the purpose of client authentication with a server, a valid XMPP address is a JID encapsulated as a subjectAltName entity of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr" as specified in Section 5.1.1. of <cite>RFC 3920</cite>.</p>
<code><![CDATA[
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
]]></code>
@ -252,7 +258,7 @@
<p>Server2 validates certificate.</p>
<ol>
<li>
<p>If certification authority is untrusted or certificate has been revoked, Server2 closes Server1's TCP connection.</p>
<p>If certificate is unacceptable (e.g., because the certificate has been revoked, because the certificate has expired, or because the root certificate was issued by a certification authority that is untrusted), Server2 closes Server1's TCP connection.</p>
</li>
<li>
<p>Else Server2 completes successful TLS negotiation and Server1 initiates a new stream header to Server2.</p>
@ -301,7 +307,7 @@
<p>Server2 determines if hostname is valid.</p>
<ol>
<li>
<p>If the authorization identity provided by Server1 matches one of the valid XMPP addresses <note>A valid XMPP address is a JID encapsulated as a subjectAltName with an ASN.1 Object Identifier of "id-on-xmppAddr" (which is equivalent to the dotted display format of "1.3.6.1.5.5.7.8.5").</note> in the certificate or one of the Common Names in the certificates, Server2 SHOULD return success.</p>
<p>If the authorization identity provided by Server1 matches one of the valid XMPP addresses in the certificate, Server2 SHOULD return success. For the purpose of server authentication with another server, a valid XMPP address is a JID encapsulated as a subjectAltName extension of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr" or a domain name (which MAY include the wildcard character '*') encapsulated as a subjectAltName extension of type dNSName.</p>
<code><![CDATA[
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
]]></code>