diff --git a/xep-0178.xml b/xep-0178.xml index c6ae3b86..186a3774 100644 --- a/xep-0178.xml +++ b/xep-0178.xml @@ -24,10 +24,10 @@ &stpeter; &pgmillard; - 1.1rc4 - in progress, last updated 2011-04-14 + 1.1rc5 + in progress, last updated 2011-04-20 psa -

Updated to reflect RFC 6120 and RFC 6125.

 +

Updated to be consistent with RFC 6120 and RFC 6125.

 1.0 @@ -97,7 +97,7 @@ -

XMPP as specified in &rfc3920; and updated in &rfc6120; allows the use of any SASL (&rfc4422;) mechanism in the authentication of XMPP entities. This document specifies a recommended protocol flow for use of the SASL EXTERNAL mechanism with PKIX (&rfc5280;) certificates This specification focuses on the use of the SASL EXTERNAL mechanism with X.509 certificates. Future specifications may document best practices for use of SASL EXTERNAL outside the context of the X.509 infrastructure, for example via Internet Protocol Security (IPSec) as specified in &rfc4301;., expecially when an XMPP service indicates that TLS is mandatory-to-negotiate. The protocol flows when TLS is not required are more complicated (e.g., alternate flows involving server dialback) and may be described in a future version of this document.

+

XMPP as specified in &rfc3920; and updated in &rfc6120; allows the use of any SASL (&rfc4422;) mechanism in the authentication of XMPP entities. This document specifies a recommended protocol flow for use of the SASL EXTERNAL mechanism with PKIX (&rfc5280;) certificates This specification focuses on the use of the SASL EXTERNAL mechanism with X.509 certificates. Future specifications may document best practices for use of SASL EXTERNAL outside the context of the X.509 infrastructure, for example via Internet Protocol Security (IPSec) as specified in &rfc4301;., expecially when an XMPP service indicates that TLS is mandatory-to-negotiate.

As specified in RFC 3920 and updated in RFC 6120, during the stream negotiation process an XMPP client can present a certificate (a "client certificate"). If a JabberID is included in a client certificate, it is encapsulated as an id-on-xmppAddr Object Identifier ("xmppAddr"), i.e., a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr" as specified in Section 13.7.1.4 of RFC 6120.

@@ -353,7 +353,7 @@ ]]>
  • -

    Server2 advertises SASL mechanisms. If the 'from' attribute of the stream header sent by Server1 can be matched against one of the identifiers provided in the certificate following the matching rules from RFC 6125, Server2 SHOULD advertise the SASL EXTERNAL mechanism. If no match is found, Server2 closes Server1's TCP connection.

    +

    Server2 advertises SASL mechanisms. If the 'from' attribute of the stream header sent by Server1 can be matched against one of the identifiers provided in the certificate following the matching rules from RFC 6125, Server2 SHOULD advertise the SASL EXTERNAL mechanism. If no match is found, Server2 MAY either close Server1's TCP connection or continue with a &xep0220; negotiation.

    @@ -364,7 +364,7 @@ ]]>
  • -

    Server1 considers EXTERNAL to be its preferred SASL mechanism. For server-to-server authentication the <auth/> element MUST NOT include an authorization identity (thus Server1 includes an empty response of "=" as shown in RFC 6120).

    +

    Server1 considers EXTERNAL to be its preferred SASL mechanism. For server-to-server authentication, the <auth/> element MAY include an authorization identity, however a future version of this specification might disallow use of the authorization identity in server-to-server authentication (in the following example, Server1 includes an empty response of "=" as shown in RFC 6120).

    = ]]>