No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

xep-0238.xml 155KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783
  1. <?xml version='1.0' encoding='UTF-8'?>
  2. <!DOCTYPE xep SYSTEM 'xep.dtd' [
  3. <!ENTITY % ents SYSTEM 'xep.ent'>
  4. %ents;
  5. ]>
  6. <?xml-stylesheet type='text/xsl' href='xep.xsl'?>
  7. <xep>
  8. <header>
  9. <title>XMPP Protocol Flows for Inter-Domain Federation</title>
  10. <abstract>This specification provides detailed protocol flows for the establishment of communication between domains that provide XMPP services, including permutations for a wide variety of possible federation policies.</abstract>
  11. &LEGALNOTICE;
  12. <number>0238</number>
  13. <status>Deferred</status>
  14. <type>Informational</type>
  15. <sig>Standards</sig>
  16. <approver>Council</approver>
  17. <dependencies>
  18. <spec>XMPP Core</spec>
  19. <spec>XEP-0220</spec>
  20. </dependencies>
  21. <supersedes/>
  22. <supersededby/>
  23. <shortname>N/A</shortname>
  24. &stpeter;
  25. <revision>
  26. <version>0.1</version>
  27. <date>2008-03-31</date>
  28. <initials>psa</initials>
  29. <remark><p>Initial published version.</p></remark>
  30. </revision>
  31. <revision>
  32. <version>0.0.1</version>
  33. <date>2008-01-23</date>
  34. <initials>psa</initials>
  35. <remark><p>First draft.</p></remark>
  36. </revision>
  37. </header>
  38. <section1 topic='Introduction' anchor='intro'>
  39. <p>&xmppcore; describes the client-server architecture upon which Jabber/XMPP communication is based. One aspect of such communication is "federation", i.e., the ability for two XMPP servers in different domains to exchange XML stanzas. There are at least four levels of federation:</p>
  40. <ol start='1'>
  41. <li><p>Permissive Federation -- a server accepts a connection from any other peer on the network, even without verifiying the identity of the peer based on DNS lookups. The lack of peer verification or authentication means that domains can be spoofed. Permissive federation was effectively outlawed on the Jabber network in October 2000 with the release of the jabberd 1.2 server, which included support for the newly-developed &xep0220; protocol.</p></li>
  42. <li><p>Verified Federation -- a server accepts a connection from a peer only after the identity of the peer has been weakly verified via Server Dialback, based on information obtained via the Domain Name System (DNS) and verification keys exchanged in-band over XMPP. However, the connection is not encrypted. The use of identity verification effectively prevents domain spoofing, but federation requires proper DNS setup and is still subject to DNS poisoning attacks. Verified federation has been the default service policy followed by servers on the open XMPP network from October 2000 until now.</p></li>
  43. <li><p>Encrypted Federation -- a server accepts a connection from a peer only if the peer supports Transport Layer Security (TLS) as defined for XMPP in &xmppcore; and the peer presents a digital certificate. However, the certificate may be self-signed, in which case mutual authentication is typically not possible. Therefore, after STARTTLS negotiation the parties proceed to weakly verify identity using Server Dialback. This combination results in an encrypted connection with weak identity verification.</p></li>
  44. <li><p>Trusted Federation -- a server accepts a connection from a peer only if the peer supports Transport Layer Security (TLS) and the peer presents a digital certificate issued by a trusted root certification authority (CA). The list of trusted root CAs is determined by local service policy, as is the level of trust accorded to various types of certificates (i.e., Class 1, Class 2, or Class 3). The use of trusted domain certificates effectively prevents DNS poisoning attacks but makes federation more difficult since typically such certificates are not easy to obtain.</p></li>
  45. </ol>
  46. <p>The remainder of this document describes in more detail the protocol flows that make it possible to deploy verified federation, encrypted federation, and trusted federation. Protocol flows are shown for federation attempts between various combinations to illustrate the interaction between different federation policies.</p>
  47. </section1>
  48. <section1 topic='Terminology' anchor='terminology'>
  49. <p>To simplify the text, this document uses the following terminology. For each service type, the domain "example.lit" is used to illustrate connections to that same service type.</p>
  50. <table caption='Example Servers'>
  51. <tr>
  52. <th>Service Type</th>
  53. <th>Federation Policy</th>
  54. <th>Certificate</th>
  55. <th>Protocols Supported</th>
  56. <th>Example Domain</th>
  57. <th>Example User</th>
  58. </tr>
  59. <tr>
  60. <td>Type 1</td>
  61. <td>Verified Only</td>
  62. <td>None</td>
  63. <td>XMPP 0.9 <note>"XMPP 0.9" is the core XML streaming protocol used in the Jabber community before the formalization of XMPP 1.0 by the IETF in &rfc3920;, including STARTTLS and SASL.</note> and Server Dialback</td>
  64. <td>type1.lit</td>
  65. <td>citizen@type1.lit</td>
  66. </tr>
  67. <tr>
  68. <td>Type 2</td>
  69. <td>Verified Acceptable</td>
  70. <td>Self-signed</td>
  71. <td>XMPP 1.0 <note>"XMPP 1.0" is defined in <cite>RFC 3920</cite> and includes STARTTLS and SASL negotiation.</note> and Server Dialback</td>
  72. <td>type2.lit</td>
  73. <td>juliet@type2.lit</td>
  74. </tr>
  75. <tr>
  76. <td>Type 3</td>
  77. <td>Verified Acceptable</td>
  78. <td>CA-issued</td>
  79. <td>XMPP 1.0 and Server Dialback</td>
  80. <td>type3.lit</td>
  81. <td>romeo@type3.lit</td>
  82. </tr>
  83. <tr>
  84. <td>Type 4</td>
  85. <td>Encrypted Required</td>
  86. <td>Self-signed</td>
  87. <td>XMPP 1.0 and Server Dialback</td>
  88. <td>type4.lit</td>
  89. <td>hamlet@type4.lit</td>
  90. </tr>
  91. <tr>
  92. <td>Type 5</td>
  93. <td>Encrypted Required</td>
  94. <td>CA-issued</td>
  95. <td>XMPP 1.0 and Server Dialback</td>
  96. <td>type5.lit</td>
  97. <td>bill@type5.lit</td>
  98. </tr>
  99. <tr>
  100. <td>Type 6</td>
  101. <td>Trusted Required</td>
  102. <td>CA-issued</td>
  103. <td>XMPP 1.0</td>
  104. <td>type6.lit</td>
  105. <td>chris@type6.lit</td>
  106. </tr>
  107. </table>
  108. </section1>
  109. <section1 topic='Connection Success' anchor='success'>
  110. <p>The following table summarizes the results of connection attempts between the various services, where "U" stands for "Unsuccessful", "V" stands for "Verified", "E" stands for "Encrypted", and "T" stands for "Trusted". The rows indicate the initiating service and the columns indicate the receiving service.</p>
  111. <table caption='Connection Success'>
  112. <tr>
  113. <th></th>
  114. <th>Type 1</th>
  115. <th>Type 2</th>
  116. <th>Type 3</th>
  117. <th>Type 4</th>
  118. <th>Type 5</th>
  119. <th>Type 6</th>
  120. </tr>
  121. <tr>
  122. <td>Type 1</td>
  123. <td>V</td>
  124. <td>V</td>
  125. <td>V</td>
  126. <td>U</td>
  127. <td>U</td>
  128. <td>U</td>
  129. </tr>
  130. <tr>
  131. <td>Type 2</td>
  132. <td>V</td>
  133. <td>V</td>
  134. <td>E</td>
  135. <td>E</td>
  136. <td>U</td>
  137. <td>U</td>
  138. </tr>
  139. <tr>
  140. <td>Type 3</td>
  141. <td>V</td>
  142. <td>V</td>
  143. <td>E</td>
  144. <td>E</td>
  145. <td>E</td>
  146. <td>T</td>
  147. </tr>
  148. <tr>
  149. <td>Type 4</td>
  150. <td>U</td>
  151. <td>E</td>
  152. <td>E</td>
  153. <td>E</td>
  154. <td>E</td>
  155. <td>U</td>
  156. </tr>
  157. <tr>
  158. <td>Type 5</td>
  159. <td>U</td>
  160. <td>E</td>
  161. <td>T</td>
  162. <td>E</td>
  163. <td>T</td>
  164. <td>T</td>
  165. </tr>
  166. <tr>
  167. <td>Type 6</td>
  168. <td>U</td>
  169. <td>U</td>
  170. <td>T</td>
  171. <td>U</td>
  172. <td>T</td>
  173. <td>T</td>
  174. </tr>
  175. </table>
  176. </section1>
  177. <section1 topic='Connections from Type 1 Services' anchor='type1'>
  178. <section2 topic='Type 1 to Type 1' anchor='type1-type1'>
  179. <p>In this scenario, an XMPP user citizen@type1.lit attempts to send an XML stanza to user@example.lit.</p>
  180. <example caption="Test Stanza"><![CDATA[
  181. <iq from='citizen@type1.lit/foo'
  182. id='t1_t1'
  183. to='user@example.lit'
  184. type='get'>
  185. <ping xmlns='urn:xmpp:ping'/>
  186. </iq>
  187. ]]></example>
  188. <p>Therefore the type1.lit service attempts to initiate a server-to-server connection with example.lit (both of which support verified connections only and neither of which has a certificate).</p>
  189. <p>First, the type1.lit service sends an initial stream header to example.lit.</p>
  190. <example caption="Initial Stream Header"><![CDATA[
  191. <stream:stream
  192. xmlns='jabber:server'
  193. xmlns:db='jabber:server:dialback'
  194. xmlns:stream='http://etherx.jabber.lit/streams'
  195. from='type1.lit'
  196. to='example.lit'>
  197. ]]></example>
  198. <p>Next the example.lit service sends a response stream header to type1.lit.</p>
  199. <example caption="Response Stream Header"><![CDATA[
  200. <stream:stream
  201. xmlns='jabber:server'
  202. xmlns:db='jabber:server:dialback'
  203. xmlns:stream='http://etherx.jabber.lit/streams'
  204. from='example.lit'
  205. id='idt1_t1o'
  206. to='type1.lit'>
  207. ]]></example>
  208. <p>Because neither service supports XMPP 1.0, the type1.lit service attempts to complete a server dialback negotiation with the example.lit service. Therefore it sends a dialback key to example.lit over the existing connection.</p>
  209. <example caption="Dialback Key"><![CDATA[
  210. <db:result
  211. from='type1.lit'
  212. to='example.lit'>
  213. some-long-dialback-key
  214. </db:result>
  215. ]]></example>
  216. <p>The example.lit service then performs a DNS lookup on the type1.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type1.lit service.</p>
  217. <example caption="Initial Stream Header"><![CDATA[
  218. <stream:stream
  219. xmlns='jabber:server'
  220. xmlns:db='jabber:server:dialback'
  221. xmlns:stream='http://etherx.jabber.lit/streams'
  222. from='example.lit'
  223. to='type1.lit'>
  224. ]]></example>
  225. <p>The authoritative server for the type1.lit service then returns a response stream header.</p>
  226. <example caption="Response Stream Header"><![CDATA[
  227. <stream:stream
  228. xmlns='jabber:server'
  229. xmlns:db='jabber:server:dialback'
  230. xmlns:stream='http://etherx.jabber.lit/streams'
  231. from='type1.lit'
  232. id='idt1_t1r'
  233. to='example.lit'>
  234. ]]></example>
  235. <p>The example.lit service then sends a dialback verification request to the authoritative server for the type1.lit domain.</p>
  236. <example caption="Verification Request"><![CDATA[
  237. <db:verify
  238. from='example.lit'
  239. id='idt1_t1o'
  240. to='type1.lit'>
  241. some-long-dialback-key
  242. </db:verify>
  243. ]]></example>
  244. <p>Here we assume that the authoritative server for the type1.lit domain notifies the example.lit service that the key is valid.</p>
  245. <example caption="Key is Valid"><![CDATA[
  246. <db:verify
  247. from='type1.lit'
  248. id='idt1_t1o'
  249. to='example.lit'
  250. type='valid'>
  251. some-long-dialback-key
  252. </db:verify>
  253. ]]></example>
  254. <p>The example.lit service then returns a positive server dialback result to the originating server.</p>
  255. <example caption="Server Dialback Result"><![CDATA[
  256. <db:result
  257. from='example.lit'
  258. to='type1.lit'
  259. type='valid'>
  260. some-long-dialback-key
  261. </db:result>
  262. ]]></example>
  263. <p>Because the connection is successful, the type1.lit service routes the XML stanza from citizen@type1.lit to the example.lit service.</p>
  264. </section2>
  265. <section2 topic='Type 1 to Type 2' anchor='type1-type2'>
  266. <p>In this scenario, an XMPP user citizen@type1.lit attempts to send an XML stanza to juliet@type2.lit:</p>
  267. <example caption="Test Stanza"><![CDATA[
  268. <iq from='citizen@type1.lit/foo'
  269. id='t1_t2'
  270. to='juliet@type2.lit'
  271. type='get'>
  272. <ping xmlns='urn:xmpp:ping'/>
  273. </iq>
  274. ]]></example>
  275. <p>Therefore the type1.lit service (which supports verified connections only and does not have a certificate) attempts to initiate a server-to-server connection with the type2.lit service (which accepts verified connections and has a self-signed certificate).</p>
  276. <p>First, the type1.lit service sends an initial stream header to type2.lit.</p>
  277. <example caption="Initial Stream Header"><![CDATA[
  278. <stream:stream
  279. xmlns='jabber:server'
  280. xmlns:db='jabber:server:dialback'
  281. xmlns:stream='http://etherx.jabber.lit/streams'
  282. from='type1.lit'
  283. to='type2.lit'>
  284. ]]></example>
  285. <p>Next the type2.lit service sends a response stream header to type1.lit.</p>
  286. <example caption="Response Stream Header"><![CDATA[
  287. <stream:stream
  288. xmlns='jabber:server'
  289. xmlns:db='jabber:server:dialback'
  290. xmlns:stream='http://etherx.jabber.lit/streams'
  291. from='type2.lit'
  292. id='idt1_t2o'
  293. to='type1.lit'
  294. version='1.0'>
  295. ]]></example>
  296. <p>The type2.lit service also sends stream features.</p>
  297. <example caption="Stream Features"><![CDATA[
  298. <stream:features>
  299. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  300. <dialback xmlns='urn:xmpp:features:dialback'/>
  301. </stream:features>
  302. ]]></example>
  303. <p>Because the type1.lit service does not support XMPP 1.0, it ignores the stream features and attempts to complete a server dialback negotiation with the type2.lit service. Therefore it sends a dialback key to type2.lit over the existing connection.</p>
  304. <example caption="Dialback Key"><![CDATA[
  305. <db:result
  306. from='type1.lit'
  307. to='type2.lit'>
  308. some-long-dialback-key
  309. </db:result>
  310. ]]></example>
  311. <p>The type2.lit service then performs a DNS lookup on the type1.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type1.lit service.</p>
  312. <example caption="Initial Stream Header"><![CDATA[
  313. <stream:stream
  314. xmlns='jabber:server'
  315. xmlns:db='jabber:server:dialback'
  316. xmlns:stream='http://etherx.jabber.lit/streams'
  317. from='type2.lit'
  318. to='type1.lit'
  319. version='1.0'>
  320. ]]></example>
  321. <p>The authoritative server for the type1.lit service then returns a response stream header.</p>
  322. <example caption="Response Stream Header"><![CDATA[
  323. <stream:stream
  324. xmlns='jabber:server'
  325. xmlns:db='jabber:server:dialback'
  326. xmlns:stream='http://etherx.jabber.lit/streams'
  327. from='type1.lit'
  328. id='idt1_t2r'
  329. to='type2.lit'>
  330. ]]></example>
  331. <p>The type2.lit service then sends a dialback verification request to the authoritative server for the type1.lit domain.</p>
  332. <example caption="Verification Request"><![CDATA[
  333. <db:verify
  334. from='type2.lit'
  335. id='idt1_t2o'
  336. to='type1.lit'>
  337. some-long-dialback-key
  338. </db:verify>
  339. ]]></example>
  340. <p>Here we assume that the authoritative server for the type1.lit domain notifies the type2.lit service that the key is valid.</p>
  341. <example caption="Key is Valid"><![CDATA[
  342. <db:verify
  343. from='type1.lit'
  344. id='idt1_t2o'
  345. to='type2.lit'
  346. type='valid'>
  347. some-long-dialback-key
  348. </db:verify>
  349. ]]></example>
  350. <p>The type2.lit service then returns a positive server dialback result to the originating server.</p>
  351. <example caption="Server Dialback Result"><![CDATA[
  352. <db:result
  353. from='type2.lit'
  354. to='type1.lit'
  355. type='valid'>
  356. some-long-dialback-key
  357. </db:result>
  358. ]]></example>
  359. <p>Because the connection is successful, the type1.lit service routes the XML stanza from citizen@type1.lit to the type2.lit service.</p>
  360. </section2>
  361. <section2 topic='Type 1 to Type 3' anchor='type1-type3'>
  362. <p>In this scenario, an XMPP user citizen@type1.lit attempts to send an XML stanza to romeo@type3.lit.</p>
  363. <example caption="Test Stanza"><![CDATA[
  364. <iq from='citizen@type1.lit/foo'
  365. id='t1_t3'
  366. to='romeo@type3.lit'
  367. type='get'>
  368. <ping xmlns='urn:xmpp:ping'/>
  369. </iq>
  370. ]]></example>
  371. <p>Therefore the type1.lit service (which supports verified connections only and does not have a certificate) attempts to initiate a server-to-server connection with the type3.lit service (which accepts verified connections and has a CA-issued certificate).</p>
  372. <p>First, the type1.lit service sends an initial stream header to type3.lit.</p>
  373. <example caption="Initial Stream Header"><![CDATA[
  374. <stream:stream
  375. xmlns='jabber:server'
  376. xmlns:db='jabber:server:dialback'
  377. xmlns:stream='http://etherx.jabber.lit/streams'
  378. from='type1.lit'
  379. to='type3.lit'>
  380. ]]></example>
  381. <p>Next the type3.lit service sends a response stream header to type1.lit.</p>
  382. <example caption="Response Stream Header"><![CDATA[
  383. <stream:stream
  384. xmlns='jabber:server'
  385. xmlns:db='jabber:server:dialback'
  386. xmlns:stream='http://etherx.jabber.lit/streams'
  387. from='type3.lit'
  388. id='idt1_t3o'
  389. to='type1.lit'
  390. version='1.0'>
  391. ]]></example>
  392. <p>The type3.lit service also sends stream features.</p>
  393. <example caption="Stream Features"><![CDATA[
  394. <stream:features>
  395. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  396. <dialback xmlns='urn:xmpp:features:dialback'/>
  397. </stream:features>
  398. ]]></example>
  399. <p>Because the type1.lit service does not support XMPP 1.0, it ignores the stream features and attempts to complete a server dialback negotiation with the type3.lit service. Therefore it sends a dialback key to the authoritative server for the type3.lit service.</p>
  400. <example caption="Dialback Key"><![CDATA[
  401. <db:result
  402. from='type1.lit'
  403. to='type3.lit'>
  404. some-long-dialback-key
  405. </db:result>
  406. ]]></example>
  407. <p>The type3.lit service then performs a DNS lookup on the type1.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server.</p>
  408. <example caption="Initial Stream Header"><![CDATA[
  409. <stream:stream
  410. xmlns='jabber:server'
  411. xmlns:db='jabber:server:dialback'
  412. xmlns:stream='http://etherx.jabber.lit/streams'
  413. from='type3.lit'
  414. to='type1.lit'
  415. version='1.0'>
  416. ]]></example>
  417. <p>The authoritative server for the type1.lit service then returns a response stream header.</p>
  418. <example caption="Response Stream Header"><![CDATA[
  419. <stream:stream
  420. xmlns='jabber:server'
  421. xmlns:db='jabber:server:dialback'
  422. xmlns:stream='http://etherx.jabber.lit/streams'
  423. from='type1.lit'
  424. id='idt1_t3r'
  425. to='type3.lit'>
  426. ]]></example>
  427. <p>The type3.lit service then sends a dialback verification request to the authoritative server for the type1.lit domain.</p>
  428. <example caption="Verification Request"><![CDATA[
  429. <db:verify
  430. from='type3.lit'
  431. id='idt1_t3o'
  432. to='type1.lit'>
  433. some-long-dialback-key
  434. </db:verify>
  435. ]]></example>
  436. <p>Here we assume that the authoritative server for the type1.lit domain notifies the type3.lit service that the key is valid.</p>
  437. <example caption="Key is Valid"><![CDATA[
  438. <db:verify
  439. from='type1.lit'
  440. id='idt1_t3o'
  441. to='type2.lit'
  442. type='valid'>
  443. some-long-dialback-key
  444. </db:verify>
  445. ]]></example>
  446. <p>The type3.lit service then returns a positive server dialback result to the originating server.</p>
  447. <example caption="Server Dialback Result"><![CDATA[
  448. <db:result
  449. from='type3.lit'
  450. to='type1.lit'
  451. type='valid'>
  452. some-long-dialback-key
  453. </db:result>
  454. ]]></example>
  455. <p>Because the connection is successful, the type1.lit service routes the XML stanza from citizen@type1.lit to the type3.lit service.</p>
  456. </section2>
  457. <section2 topic='Type 1 to Type 4' anchor='type1-type4'>
  458. <p>In this scenario, an XMPP user citizen@type1.lit attempts to send an XML stanza to hamlet@type4.lit.</p>
  459. <example caption="Test Stanza"><![CDATA[
  460. <iq from='citizen@type1.lit/foo'
  461. id='t1_t4'
  462. to='hamlet@type4.lit'
  463. type='get'>
  464. <ping xmlns='urn:xmpp:ping'/>
  465. </iq>
  466. ]]></example>
  467. <p>Therefore the type1.lit service (which supports verified connections only and does not have a certificate) attempts to initiate a server-to-server connection with type4.lit (which does not accept verified connections and has a self-signed certificate).</p>
  468. <p>First, the type1.lit service sends an initial stream header to type4.lit.</p>
  469. <example caption="Initial Stream Header"><![CDATA[
  470. <stream:stream
  471. xmlns='jabber:server'
  472. xmlns:db='jabber:server:dialback'
  473. xmlns:stream='http://etherx.jabber.lit/streams'
  474. from='type1.lit'
  475. to='type4.lit'>
  476. ]]></example>
  477. <p>Next the type4.lit service sends a response stream header to type1.lit.</p>
  478. <example caption="Response Stream Header"><![CDATA[
  479. <stream:stream
  480. xmlns='jabber:server'
  481. xmlns:db='jabber:server:dialback'
  482. xmlns:stream='http://etherx.jabber.lit/streams'
  483. from='type4.lit'
  484. id='idt1_t4o'
  485. to='type1.lit'
  486. version='1.0'>
  487. ]]></example>
  488. <p>The type4.lit service also sends stream features. Because the type4.lit service does not accept verified connections, it returns stream features with a notation that STARTTLS is required.</p>
  489. <example caption="Stream Features"><![CDATA[
  490. <stream:features>
  491. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  492. <required/>
  493. </starttls>
  494. </stream:features>
  495. ]]></example>
  496. <p>Because the type1.lit service does not support XMPP 1.0, it ignores the stream features and attempts to complete a server dialback negotiation with the type4.lit service. Therefore it sends a dialback key to the authoritative server for the type4.lit service.</p>
  497. <example caption="Dialback Key"><![CDATA[
  498. <db:result
  499. from='type1.lit'
  500. to='type4.lit'>
  501. some-long-dialback-key
  502. </db:result>
  503. ]]></example>
  504. <p>The type4.lit service understands the server dialback protocol but since it requires STARTTLS at this point in the stream negotiation it returns a stream error to the type1.lit service, which should be &lt;not-authorized/&gt;.</p>
  505. <example caption="Stream Error"><![CDATA[
  506. <stream:error>
  507. <not-authorized
  508. xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
  509. </stream:error>
  510. </stream:stream>
  511. ]]></example>
  512. <p>Because the connection is unsuccessful, the type1.lit service returns a stanza error to citizen@type1.lit, which should be &timeout;.</p>
  513. <example caption="Error Stanza"><![CDATA[
  514. <iq from='romeo@type4.lit'
  515. id='t1_t4'
  516. to='citizen@type1.lit/foo'
  517. type='error'>
  518. <error type='cancel'>
  519. <remote-server-timeout
  520. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  521. </error>
  522. </iq>
  523. ]]></example>
  524. </section2>
  525. <section2 topic='Type 1 to Type 5' anchor='type1-type5'>
  526. <p>In this scenario, an XMPP user citizen@type1.lit attempts to send an XML stanza to bill@type5.lit.</p>
  527. <example caption="Test Stanza"><![CDATA[
  528. <iq from='citizen@type1.lit/foo'
  529. id='t1_t5'
  530. to='bill@type5.lit'
  531. type='get'>
  532. <ping xmlns='urn:xmpp:ping'/>
  533. </iq>
  534. ]]></example>
  535. <p>Therefore the type1.lit service (which supports verified connections only and does not have a certificate) attempts to initiate a server-to-server connection with type5.lit (which does not accept verified connections and has a CA-issued signed certificate).</p>
  536. <p>First, the type1.lit service sends an initial stream header to type5.lit.</p>
  537. <example caption="Initial Stream Header"><![CDATA[
  538. <stream:stream
  539. xmlns='jabber:server'
  540. xmlns:db='jabber:server:dialback'
  541. xmlns:stream='http://etherx.jabber.lit/streams'
  542. from='type1.lit'
  543. to='type5.lit'>
  544. ]]></example>
  545. <p>Next the type5.lit service sends a response stream header to type1.lit.</p>
  546. <example caption="Response Stream Header"><![CDATA[
  547. <stream:stream
  548. xmlns='jabber:server'
  549. xmlns:db='jabber:server:dialback'
  550. xmlns:stream='http://etherx.jabber.lit/streams'
  551. from='type5.lit'
  552. id='idt1_t5o'
  553. to='type1.lit'
  554. version='1.0'>
  555. ]]></example>
  556. <p>The type5.lit service also sends stream features. Because the type5.lit service does not accept verified connections, it returns stream features with a notation that STARTTLS is required.</p>
  557. <example caption="Stream Features"><![CDATA[
  558. <stream:features>
  559. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  560. <required/>
  561. </starttls>
  562. </stream:features>
  563. ]]></example>
  564. <p>Because the type1.lit service does not support XMPP 1.0, it ignores the stream features and attempts to complete a server dialback negotiation with the type5.lit service. Therefore it sends a dialback key to the authoritative server for the type5.lit service.</p>
  565. <example caption="Dialback Key"><![CDATA[
  566. <db:result
  567. from='type1.lit'
  568. to='type5.lit'>
  569. some-long-dialback-key
  570. </db:result>
  571. ]]></example>
  572. <p>The type5.lit service understands the server dialback protocol but since it requires STARTTLS at this point in the stream negotiation it returns a stream error to the type1.lit service, which should be &lt;not-authorized/&gt;.</p>
  573. <example caption="Stream Error"><![CDATA[
  574. <stream:error>
  575. <not-authorized
  576. xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
  577. </stream:error>
  578. </stream:stream>
  579. ]]></example>
  580. <p>Because the connection is unsuccessful, the type1.lit service returns a stanza error to citizen@type1.lit, which should be &timeout;.</p>
  581. <example caption="Error Stanza"><![CDATA[
  582. <iq from='bill@type5.lit'
  583. id='t1_t5'
  584. to='citizen@type1.lit/foo'
  585. type='error'>
  586. <error type='cancel'>
  587. <remote-server-timeout
  588. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  589. </error>
  590. </iq>
  591. ]]></example>
  592. </section2>
  593. <section2 topic='Type 1 to Type 6' anchor='type1-type6'>
  594. <p>In this scenario, an XMPP user citizen@type1.lit attempts to send an XML stanza to chris@type6.lit.</p>
  595. <example caption="Test Stanza"><![CDATA[
  596. <iq from='citizen@type1.lit/foo'
  597. id='t1_t6'
  598. to='chris@type6.lit'
  599. type='get'>
  600. <ping xmlns='urn:xmpp:ping'/>
  601. </iq>
  602. ]]></example>
  603. <p>Therefore the type1.lit service (which supports verified connections only and does not have a certificate) attempts to initiate a server-to-server connection with the type6.lit service (which accepts only trusted connections, has a CA-issued certificate, and does not support Server Dialback).</p>
  604. <p>First, the type1.lit service sends an initial stream header to type6.lit.</p>
  605. <example caption="Initial Stream Header"><![CDATA[
  606. <stream:stream
  607. xmlns='jabber:server'
  608. xmlns:db='jabber:server:dialback'
  609. xmlns:stream='http://etherx.jabber.lit/streams'
  610. from='type1.lit'
  611. to='type6.lit'>
  612. ]]></example>
  613. <p>Next the type6.lit service sends a response stream header to type1.lit. Notice that the response stream header does not include the dialback namespace, since the type6.lit service does not support Server Dialback.</p>
  614. <example caption="Response Stream Header"><![CDATA[
  615. <stream:stream
  616. xmlns='jabber:server'
  617. xmlns:stream='http://etherx.jabber.lit/streams'
  618. from='type6.lit'
  619. id='idt1_t6o'
  620. to='type1.lit'
  621. version='1.0'>
  622. ]]></example>
  623. <p>The type6.lit service also sends stream features. Because the type6.lit service does not accept untrusted connections, it returns stream features with a notation that STARTTLS is required.</p>
  624. <example caption="Stream Features"><![CDATA[
  625. <stream:features>
  626. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  627. <required/>
  628. </starttls>
  629. </stream:features>
  630. ]]></example>
  631. <p>The type1.lit service does not detect support for server dialback by the type6.lit service but in any case attempts to complete server dialback.</p>
  632. <example caption="Dialback Key"><![CDATA[
  633. <db:result
  634. from='type1.lit'
  635. to='type6.lit'>
  636. some-long-dialback-key
  637. </db:result>
  638. ]]></example>
  639. <p>The type6.lit service does not accept dialback negotiations so it returns a &notauthorized; stream error and closes the stream.</p>
  640. <example caption="Stream Error"><![CDATA[
  641. <stream:error>
  642. <not-authorized
  643. xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
  644. </stream:error>
  645. </stream:stream>
  646. ]]></example>
  647. <p>The type1.lit service closes the stream as well.</p>
  648. <example caption="Stream Close"><![CDATA[
  649. </stream:stream>
  650. ]]></example>
  651. <p>Because the connection is unsuccessful, the type1.lit service returns a stanza error to citizen@type1.lit, which should be &timeout;.</p>
  652. <example caption="Error Stanza"><![CDATA[
  653. <iq from='chris@type6.lit'
  654. id='t1_t6'
  655. to='citizen@type1.lit/foo'
  656. type='error'>
  657. <error type='cancel'>
  658. <remote-server-timeout
  659. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  660. </error>
  661. </iq>
  662. ]]></example>
  663. </section2>
  664. </section1>
  665. <section1 topic='Connections from Type 2 Services' anchor='type2'>
  666. <section2 topic='Type 2 to Type 1' anchor='type2-type1'>
  667. <p>In this scenario, an XMPP user juliet@type2.lit attempts to send an XML stanza to citizen@type1.lit:</p>
  668. <example caption="Test Stanza"><![CDATA[
  669. <iq from='juliet@type2.lit/foo'
  670. id='t2_t1'
  671. to='citizen@type1.lit'
  672. type='get'>
  673. <ping xmlns='urn:xmpp:ping'/>
  674. </iq>
  675. ]]></example>
  676. <p>Therefore the type2.lit service (which accepts verified connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type1.lit service (which supports verified connections only and does not have a certificate).</p>
  677. <p>First, the type2.lit service sends an initial stream header to type1.lit.</p>
  678. <example caption="Initial Stream Header"><![CDATA[
  679. <stream:stream
  680. xmlns='jabber:server'
  681. xmlns:db='jabber:server:dialback'
  682. xmlns:stream='http://etherx.jabber.lit/streams'
  683. from='type2.lit'
  684. to='type1.lit'
  685. version='1.0'>
  686. ]]></example>
  687. <p>Next the type1.lit service sends a response stream header to type2.lit.</p>
  688. <example caption="Response Stream Header"><![CDATA[
  689. <stream:stream
  690. xmlns='jabber:server'
  691. xmlns:db='jabber:server:dialback'
  692. xmlns:stream='http://etherx.jabber.lit/streams'
  693. from='type1.lit'
  694. id='idt1_t2o'
  695. to='type2.lit'>
  696. ]]></example>
  697. <p>Because the type1.lit service does not support XMPP 1.0, it does not send stream features. Because the type2.lit service accepts verified connections, it attempts to verify the identity of type1.lit using server dialback. Therefore it sends a dialback key to type1.lit over the existing connection.</p>
  698. <example caption="Dialback Key"><![CDATA[
  699. <db:result
  700. from='type2.lit'
  701. to='type1.lit'>
  702. some-long-dialback-key
  703. </db:result>
  704. ]]></example>
  705. <p>The type1.lit service then performs a DNS lookup on the type2.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type2.lit service.</p>
  706. <example caption="Initial Stream Header"><![CDATA[
  707. <stream:stream
  708. xmlns='jabber:server'
  709. xmlns:db='jabber:server:dialback'
  710. xmlns:stream='http://etherx.jabber.lit/streams'
  711. from='type1.lit'
  712. to='type2.lit'>
  713. ]]></example>
  714. <p>The authoritative server for the type2.lit service then returns a response stream header.</p>
  715. <example caption="Response Stream Header"><![CDATA[
  716. <stream:stream
  717. xmlns='jabber:server'
  718. xmlns:db='jabber:server:dialback'
  719. xmlns:stream='http://etherx.jabber.lit/streams'
  720. from='type2.lit'
  721. id='idt1_t2r'
  722. to='type1.lit'
  723. version='1.0'>
  724. ]]></example>
  725. <p>The type1.lit service then sends a dialback verification request to the authoritative server for the type2.lit domain.</p>
  726. <example caption="Verification Request"><![CDATA[
  727. <db:verify
  728. from='type1.lit'
  729. id='idt2_t1o'
  730. to='type2.lit'>
  731. some-long-dialback-key
  732. </db:verify>
  733. ]]></example>
  734. <p>Here we assume that the authoritative server for the type2.lit domain notifies the type1.lit service that the key is valid.</p>
  735. <example caption="Key is Valid"><![CDATA[
  736. <db:verify
  737. from='type2.lit'
  738. id='idt1_t1o'
  739. to='type1.lit'
  740. type='valid'>
  741. some-long-dialback-key
  742. </db:verify>
  743. ]]></example>
  744. <p>The type1.lit service then returns a positive server dialback result to the originating server (i.e., type2.lit).</p>
  745. <example caption="Server Dialback Result"><![CDATA[
  746. <db:result
  747. from='type1.lit'
  748. to='type2.lit'
  749. type='valid'>
  750. some-long-dialback-key
  751. </db:result>
  752. ]]></example>
  753. <p>Because the connection is successful, the type2.lit service routes the XML stanza from juliet@type2.lit to the type1.lit service.</p>
  754. </section2>
  755. <section2 topic='Type 2 to Type 2' anchor='type2-type2'>
  756. <p>In this scenario, an XMPP user juliet@type2.lit attempts to send an XML stanza to user@example.lit:</p>
  757. <example caption="Test Stanza"><![CDATA[
  758. <iq from='juliet@type2.lit/foo'
  759. id='t2_t2'
  760. to='user@example.lit'
  761. type='get'>
  762. <ping xmlns='urn:xmpp:ping'/>
  763. </iq>
  764. ]]></example>
  765. <p>Therefore the type2.lit service (which accepts verified connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the example.lit service (which also supports verified connections and has a self-signed certificate).</p>
  766. <p>First, the type2.lit service sends an initial stream header to example.lit.</p>
  767. <example caption="Initial Stream Header"><![CDATA[
  768. <stream:stream
  769. xmlns='jabber:server'
  770. xmlns:db='jabber:server:dialback'
  771. xmlns:stream='http://etherx.jabber.lit/streams'
  772. from='type2.lit'
  773. to='example.lit'
  774. version='1.0'>
  775. ]]></example>
  776. <p>Next the example.lit service sends a response stream header to type2.lit.</p>
  777. <example caption="Response Stream Header"><![CDATA[
  778. <stream:stream
  779. xmlns='jabber:server'
  780. xmlns:db='jabber:server:dialback'
  781. xmlns:stream='http://etherx.jabber.lit/streams'
  782. from='example.lit'
  783. id='idt2_t2o'
  784. to='type2.lit'>
  785. ]]></example>
  786. <p>Because the example.lit service supports XMPP 1.0, it also sends stream features.</p>
  787. <example caption="Stream Features"><![CDATA[
  788. <stream:features>
  789. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  790. <dialback xmlns='urn:xmpp:features:dialback'/>
  791. </stream:features>
  792. ]]></example>
  793. <p>We assume that type2.lit does not attempt STARTTLS negotiation but instead attempts server dialback for weak identity verification.</p>
  794. <example caption="Dialback Key"><![CDATA[
  795. <db:result
  796. from='type2.lit'
  797. to='example.lit'>
  798. some-long-dialback-key
  799. </db:result>
  800. ]]></example>
  801. <p>The example.lit service then performs a DNS lookup on the type2.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type2.lit service.</p>
  802. <example caption="Initial Stream Header"><![CDATA[
  803. <stream:stream
  804. xmlns='jabber:server'
  805. xmlns:db='jabber:server:dialback'
  806. xmlns:stream='http://etherx.jabber.lit/streams'
  807. from='example.lit'
  808. to='type2.lit'>
  809. ]]></example>
  810. <p>The authoritative server for the type2.lit service then returns a response stream header.</p>
  811. <example caption="Response Stream Header"><![CDATA[
  812. <stream:stream
  813. xmlns='jabber:server'
  814. xmlns:db='jabber:server:dialback'
  815. xmlns:stream='http://etherx.jabber.lit/streams'
  816. from='type2.lit'
  817. id='idt2_t2r'
  818. to='example.lit'
  819. version='1.0'>
  820. ]]></example>
  821. <p>The example.lit service then sends a dialback verification request to the authoritative server for the type2.lit domain.</p>
  822. <example caption="Verification Request"><![CDATA[
  823. <db:verify
  824. from='example.lit'
  825. id='idt2_t2o'
  826. to='type2.lit'>
  827. some-long-dialback-key
  828. </db:verify>
  829. ]]></example>
  830. <p>Here we assume that the authoritative server for the type2.lit domain notifies the example.lit service that the key is valid.</p>
  831. <example caption="Key is Valid"><![CDATA[
  832. <db:verify
  833. from='type2.lit'
  834. id='idt2_t2o'
  835. to='example.lit'
  836. type='valid'>
  837. some-long-dialback-key
  838. </db:verify>
  839. ]]></example>
  840. <p>The example.lit service then returns a positive server dialback result to the originating server (i.e., type2.lit).</p>
  841. <example caption="Server Dialback Result"><![CDATA[
  842. <db:result
  843. from='example.lit'
  844. to='type2.lit'
  845. type='valid'>
  846. some-long-dialback-key
  847. </db:result>
  848. ]]></example>
  849. <p>Because the connection is successful, the type2.lit service routes the XML stanza from juliet@type2.lit to the example.lit service.</p>
  850. </section2>
  851. <section2 topic='Type 2 to Type 3' anchor='type2-type3'>
  852. <p>In this scenario, an XMPP user juliet@type2.lit attempts to send an XML stanza to romeo@type3.lit:</p>
  853. <example caption="Test Stanza"><![CDATA[
  854. <iq from='juliet@type2.lit/foo'
  855. id='t2_t3'
  856. to='romeo@type3.lit'
  857. type='get'>
  858. <ping xmlns='urn:xmpp:ping'/>
  859. </iq>
  860. ]]></example>
  861. <p>Therefore the type2.lit service (which accepts verified connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type3.lit service (which also supports verified connections and has a CA-issued certificate).</p>
  862. <p>First, the type2.lit service sends an initial stream header to type3.lit.</p>
  863. <example caption="Initial Stream Header"><![CDATA[
  864. <stream:stream
  865. xmlns='jabber:server'
  866. xmlns:db='jabber:server:dialback'
  867. xmlns:stream='http://etherx.jabber.lit/streams'
  868. from='type2.lit'
  869. to='type3.lit'
  870. version='1.0'>
  871. ]]></example>
  872. <p>Next the type3.lit service sends a response stream header to type2.lit.</p>
  873. <example caption="Response Stream Header"><![CDATA[
  874. <stream:stream
  875. xmlns='jabber:server'
  876. xmlns:db='jabber:server:dialback'
  877. xmlns:stream='http://etherx.jabber.lit/streams'
  878. from='type3.lit'
  879. id='idt2_t3o'
  880. to='type2.lit'>
  881. ]]></example>
  882. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features.</p>
  883. <example caption="Stream Features"><![CDATA[
  884. <stream:features>
  885. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  886. <dialback xmlns='urn:xmpp:features:dialback'/>
  887. </stream:features>
  888. ]]></example>
  889. <p>We assume that type2.lit does not attempt STARTTLS negotiation but instead attempts server dialback for weak identity verification.</p>
  890. <example caption="Dialback Key"><![CDATA[
  891. <db:result
  892. from='type2.lit'
  893. to='type3.lit'>
  894. some-long-dialback-key
  895. </db:result>
  896. ]]></example>
  897. <p>The type3.lit service then performs a DNS lookup on the type2.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type2.lit service.</p>
  898. <example caption="Initial Stream Header"><![CDATA[
  899. <stream:stream
  900. xmlns='jabber:server'
  901. xmlns:db='jabber:server:dialback'
  902. xmlns:stream='http://etherx.jabber.lit/streams'
  903. from='type3.lit'
  904. to='type2.lit'>
  905. ]]></example>
  906. <p>The authoritative server for the type2.lit service then returns a response stream header.</p>
  907. <example caption="Response Stream Header"><![CDATA[
  908. <stream:stream
  909. xmlns='jabber:server'
  910. xmlns:db='jabber:server:dialback'
  911. xmlns:stream='http://etherx.jabber.lit/streams'
  912. from='type2.lit'
  913. id='idt2_t3r'
  914. to='type3.lit'
  915. version='1.0'>
  916. ]]></example>
  917. <p>The type3.lit service then sends a dialback verification request to the authoritative server for the type2.lit domain.</p>
  918. <example caption="Verification Request"><![CDATA[
  919. <db:verify
  920. from='type3.lit'
  921. id='idt2_t3o'
  922. to='type2.lit'>
  923. some-long-dialback-key
  924. </db:verify>
  925. ]]></example>
  926. <p>Here we assume that the authoritative server for the type2.lit domain notifies the type3.lit service that the key is valid.</p>
  927. <example caption="Key is Valid"><![CDATA[
  928. <db:verify
  929. from='type2.lit'
  930. id='idt2_t3o'
  931. to='type3.lit'
  932. type='valid'>
  933. some-long-dialback-key
  934. </db:verify>
  935. ]]></example>
  936. <p>The type3.lit service then returns a positive server dialback result to the originating server (i.e., type2.lit).</p>
  937. <example caption="Server Dialback Result"><![CDATA[
  938. <db:result
  939. from='type3.lit'
  940. to='type2.lit'
  941. type='valid'>
  942. some-long-dialback-key
  943. </db:result>
  944. ]]></example>
  945. <p>Because the connection is successful, the type2.lit service routes the XML stanza from juliet@type2.lit to the type3.lit service.</p>
  946. </section2>
  947. <section2 topic='Type 2 to Type 4' anchor='type2-type4'>
  948. <p>In this scenario, an XMPP user juliet@type2.lit attempts to send an XML stanza to hamlet@type4.lit:</p>
  949. <example caption="Test Stanza"><![CDATA[
  950. <iq from='juliet@type2.lit/foo'
  951. id='t2_t4'
  952. to='hamlet@type4.lit'
  953. type='get'>
  954. <ping xmlns='urn:xmpp:ping'/>
  955. </iq>
  956. ]]></example>
  957. <p>Therefore the type2.lit service (which accepts verified connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type4.lit service (which also supports verified connections and has a CA-issued certificate).</p>
  958. <p>First, the type2.lit service sends an initial stream header to type4.lit.</p>
  959. <example caption="Initial Stream Header"><![CDATA[
  960. <stream:stream
  961. xmlns='jabber:server'
  962. xmlns:db='jabber:server:dialback'
  963. xmlns:stream='http://etherx.jabber.lit/streams'
  964. from='type2.lit'
  965. to='type4.lit'
  966. version='1.0'>
  967. ]]></example>
  968. <p>Next the type4.lit service sends a response stream header to type2.lit.</p>
  969. <example caption="Response Stream Header"><![CDATA[
  970. <stream:stream
  971. xmlns='jabber:server'
  972. xmlns:db='jabber:server:dialback'
  973. xmlns:stream='http://etherx.jabber.lit/streams'
  974. from='type4.lit'
  975. id='idt2_t4o'
  976. to='type2.lit'>
  977. ]]></example>
  978. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  979. <example caption="Stream Features"><![CDATA[
  980. <stream:features>
  981. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  982. <required/>
  983. </starttls>
  984. <dialback xmlns='urn:xmpp:features:dialback'/>
  985. </stream:features>
  986. ]]></example>
  987. <p>Because type4.lit requires encryption, type2.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  988. <example caption="STARTTLS Request"><![CDATA[
  989. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  990. ]]></example>
  991. <example caption="STARTTLS Response"><![CDATA[
  992. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  993. ]]></example>
  994. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  995. <p>The type2.lit service then opens a new stream over the encrypted connection.</p>
  996. <example caption="Initial Stream Header"><![CDATA[
  997. <stream:stream
  998. xmlns='jabber:server'
  999. xmlns:db='jabber:server:dialback'
  1000. xmlns:stream='http://etherx.jabber.lit/streams'
  1001. from='type2.lit'
  1002. to='type4.lit'
  1003. version='1.0'>
  1004. ]]></example>
  1005. <p>Next the type4.lit service sends a response stream header to type2.lit.</p>
  1006. <example caption="Response Stream Header"><![CDATA[
  1007. <stream:stream
  1008. xmlns='jabber:server'
  1009. xmlns:db='jabber:server:dialback'
  1010. xmlns:stream='http://etherx.jabber.lit/streams'
  1011. from='type4.lit'
  1012. id='idt2_t4o2'
  1013. to='type2.lit'>
  1014. ]]></example>
  1015. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  1016. <example caption="Stream Features"><![CDATA[
  1017. <stream:features>
  1018. <dialback xmlns='urn:xmpp:features:dialback'>
  1019. <required/>
  1020. </dialback>
  1021. </stream:features>
  1022. ]]></example>
  1023. <p>Notice that type4.lit requires dialback here (perhaps because of some local service policy). Therefore type2.lit sends a dialback key to type4.lit.</p>
  1024. <example caption="Dialback Key"><![CDATA[
  1025. <db:result
  1026. from='type2.lit'
  1027. to='type4.lit'>
  1028. some-long-dialback-key
  1029. </db:result>
  1030. ]]></example>
  1031. <p>The type4.lit service then performs a DNS lookup on the type2.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type2.lit service.</p>
  1032. <example caption="Initial Stream Header"><![CDATA[
  1033. <stream:stream
  1034. xmlns='jabber:server'
  1035. xmlns:db='jabber:server:dialback'
  1036. xmlns:stream='http://etherx.jabber.lit/streams'
  1037. from='type4.lit'
  1038. to='type2.lit'>
  1039. ]]></example>
  1040. <p>The authoritative server for the type2.lit service then returns a response stream header.</p>
  1041. <example caption="Response Stream Header"><![CDATA[
  1042. <stream:stream
  1043. xmlns='jabber:server'
  1044. xmlns:db='jabber:server:dialback'
  1045. xmlns:stream='http://etherx.jabber.lit/streams'
  1046. from='type2.lit'
  1047. id='idt2_t4r'
  1048. to='type4.lit'
  1049. version='1.0'>
  1050. ]]></example>
  1051. <p>The type4.lit service then sends a dialback verification request to the authoritative server for the type2.lit domain.</p>
  1052. <example caption="Verification Request"><![CDATA[
  1053. <db:verify
  1054. from='type4.lit'
  1055. id='idt2_t4o'
  1056. to='type2.lit'>
  1057. some-long-dialback-key
  1058. </db:verify>
  1059. ]]></example>
  1060. <p>Here we assume that the authoritative server for the type2.lit domain notifies the type4.lit service that the key is valid.</p>
  1061. <example caption="Key is Valid"><![CDATA[
  1062. <db:verify
  1063. from='type2.lit'
  1064. id='idt2_t4o'
  1065. to='type4.lit'
  1066. type='valid'>
  1067. some-long-dialback-key
  1068. </db:verify>
  1069. ]]></example>
  1070. <p>The type4.lit service then returns a positive server dialback result to the originating server (i.e., type2.lit).</p>
  1071. <example caption="Server Dialback Result"><![CDATA[
  1072. <db:result
  1073. from='type4.lit'
  1074. to='type2.lit'
  1075. type='valid'>
  1076. some-long-dialback-key
  1077. </db:result>
  1078. ]]></example>
  1079. <p>Because the connection is successful, the type2.lit service routes the XML stanza from juliet@type2.lit to the type4.lit service.</p>
  1080. </section2>
  1081. <section2 topic='Type 2 to Type 5' anchor='type2-type5'>
  1082. <p>In this scenario, an XMPP user juliet@type2.lit attempts to send an XML stanza to bill@type5.lit:</p>
  1083. <example caption="Test Stanza"><![CDATA[
  1084. <iq from='juliet@type2.lit/foo'
  1085. id='t2_t5'
  1086. to='bill@type5.lit'
  1087. type='get'>
  1088. <ping xmlns='urn:xmpp:ping'/>
  1089. </iq>
  1090. ]]></example>
  1091. <p>Therefore the type2.lit service (which accepts verified connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type5.lit service (which also supports verified connections and has a CA-issued certificate).</p>
  1092. <p>First, the type2.lit service sends an initial stream header to type5.lit.</p>
  1093. <example caption="Initial Stream Header"><![CDATA[
  1094. <stream:stream
  1095. xmlns='jabber:server'
  1096. xmlns:db='jabber:server:dialback'
  1097. xmlns:stream='http://etherx.jabber.lit/streams'
  1098. from='type2.lit'
  1099. to='type5.lit'
  1100. version='1.0'>
  1101. ]]></example>
  1102. <p>Next the type5.lit service sends a response stream header to type2.lit.</p>
  1103. <example caption="Response Stream Header"><![CDATA[
  1104. <stream:stream
  1105. xmlns='jabber:server'
  1106. xmlns:db='jabber:server:dialback'
  1107. xmlns:stream='http://etherx.jabber.lit/streams'
  1108. from='type5.lit'
  1109. id='idt2_t5o'
  1110. to='type2.lit'>
  1111. ]]></example>
  1112. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features.</p>
  1113. <example caption="Stream Features"><![CDATA[
  1114. <stream:features>
  1115. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  1116. <required/>
  1117. </starttls>
  1118. <dialback xmlns='urn:xmpp:features:dialback'/>
  1119. </stream:features>
  1120. ]]></example>
  1121. <p>Because type5.lit requires encryption, type2.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  1122. <example caption="STARTTLS Request"><![CDATA[
  1123. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1124. ]]></example>
  1125. <example caption="STARTTLS Response"><![CDATA[
  1126. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1127. ]]></example>
  1128. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  1129. <p>The type2.lit service then opens a new stream over the encrypted connection.</p>
  1130. <example caption="Initial Stream Header"><![CDATA[
  1131. <stream:stream
  1132. xmlns='jabber:server'
  1133. xmlns:db='jabber:server:dialback'
  1134. xmlns:stream='http://etherx.jabber.lit/streams'
  1135. from='type2.lit'
  1136. to='type5.lit'
  1137. version='1.0'>
  1138. ]]></example>
  1139. <p>Next the type5.lit service sends a response stream header to type2.lit.</p>
  1140. <example caption="Response Stream Header"><![CDATA[
  1141. <stream:stream
  1142. xmlns='jabber:server'
  1143. xmlns:db='jabber:server:dialback'
  1144. xmlns:stream='http://etherx.jabber.lit/streams'
  1145. from='type5.lit'
  1146. id='idt2_t5o2'
  1147. to='type2.lit'>
  1148. ]]></example>
  1149. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features.</p>
  1150. <example caption="Stream Features"><![CDATA[
  1151. <stream:features>
  1152. <dialback xmlns='urn:xmpp:features:dialback'>
  1153. <required/>
  1154. </dialback>
  1155. </stream:features>
  1156. ]]></example>
  1157. <p>Notice that type5.lit requires dialback here (perhaps because of some local service policy). Therefore type2.lit sends a dialback key to type5.lit.</p>
  1158. <example caption="Dialback Key"><![CDATA[
  1159. <db:result
  1160. from='type2.lit'
  1161. to='type5.lit'>
  1162. some-long-dialback-key
  1163. </db:result>
  1164. ]]></example>
  1165. <p>The type5.lit service then performs a DNS lookup on the type2.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type2.lit service.</p>
  1166. <example caption="Initial Stream Header"><![CDATA[
  1167. <stream:stream
  1168. xmlns='jabber:server'
  1169. xmlns:db='jabber:server:dialback'
  1170. xmlns:stream='http://etherx.jabber.lit/streams'
  1171. from='type5.lit'
  1172. to='type2.lit'>
  1173. ]]></example>
  1174. <p>The authoritative server for the type2.lit service then returns a response stream header.</p>
  1175. <example caption="Response Stream Header"><![CDATA[
  1176. <stream:stream
  1177. xmlns='jabber:server'
  1178. xmlns:db='jabber:server:dialback'
  1179. xmlns:stream='http://etherx.jabber.lit/streams'
  1180. from='type2.lit'
  1181. id='idt2_t5r'
  1182. to='type5.lit'
  1183. version='1.0'>
  1184. ]]></example>
  1185. <p>The type5.lit service then sends a dialback verification request to the authoritative server for the type2.lit domain.</p>
  1186. <example caption="Verification Request"><![CDATA[
  1187. <db:verify
  1188. from='type5.lit'
  1189. id='idt2_t5o'
  1190. to='type2.lit'>
  1191. some-long-dialback-key
  1192. </db:verify>
  1193. ]]></example>
  1194. <p>Here we assume that the authoritative server for the type2.lit domain notifies the type5.lit service that the key is valid.</p>
  1195. <example caption="Key is Valid"><![CDATA[
  1196. <db:verify
  1197. from='type2.lit'
  1198. id='idt2_t5o'
  1199. to='type5.lit'
  1200. type='valid'>
  1201. some-long-dialback-key
  1202. </db:verify>
  1203. ]]></example>
  1204. <p>The type5.lit service then returns a positive server dialback result to the originating server (i.e., type2.lit).</p>
  1205. <example caption="Server Dialback Result"><![CDATA[
  1206. <db:result
  1207. from='type5.lit'
  1208. to='type2.lit'
  1209. type='valid'>
  1210. some-long-dialback-key
  1211. </db:result>
  1212. ]]></example>
  1213. <p>Because the connection is successful, the type2.lit service routes the XML stanza from juliet@type2.lit to the type5.lit service.</p>
  1214. </section2>
  1215. <section2 topic='Type 2 to Type 6' anchor='type2-type6'>
  1216. <p>In this scenario, an XMPP user juliet@type2.lit attempts to send an XML stanza to chris@type6.lit.</p>
  1217. <example caption="Test Stanza"><![CDATA[
  1218. <iq from='juliet@type2.lit/foo'
  1219. id='t2_t6'
  1220. to='chris@type6.lit'
  1221. type='get'>
  1222. <ping xmlns='urn:xmpp:ping'/>
  1223. </iq>
  1224. ]]></example>
  1225. <p>Therefore the type2.lit service (which supports verified connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type6.lit service (which accepts only trusted connections, has a CA-issued certificate, and does not support Server Dialback).</p>
  1226. <p>First, the type2.lit service sends an initial stream header to type6.lit.</p>
  1227. <example caption="Initial Stream Header"><![CDATA[
  1228. <stream:stream
  1229. xmlns='jabber:server'
  1230. xmlns:db='jabber:server:dialback'
  1231. xmlns:stream='http://etherx.jabber.lit/streams'
  1232. from='type2.lit'
  1233. to='type6.lit'>
  1234. ]]></example>
  1235. <p>Next the type6.lit service sends a response stream header to type2.lit. Notice that the response stream header does not include the dialback namespace, since the type6.lit service does not support Server Dialback.</p>
  1236. <example caption="Response Stream Header"><![CDATA[
  1237. <stream:stream
  1238. xmlns='jabber:server'
  1239. xmlns:stream='http://etherx.jabber.lit/streams'
  1240. from='type6.lit'
  1241. id='idt2_t6o'
  1242. to='type2.lit'
  1243. version='1.0'>
  1244. ]]></example>
  1245. <p>The type6.lit service also sends stream features. Because the type6.lit service does not accept untrusted connections, it returns stream features with a notation that STARTTLS is required.</p>
  1246. <example caption="Stream Features"><![CDATA[
  1247. <stream:features>
  1248. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  1249. <required/>
  1250. </starttls>
  1251. </stream:features>
  1252. ]]></example>
  1253. <p>Because type6.lit requires encryption, type2.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  1254. <example caption="STARTTLS Request"><![CDATA[
  1255. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1256. ]]></example>
  1257. <example caption="STARTTLS Response"><![CDATA[
  1258. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1259. ]]></example>
  1260. <p>The servers then attempt negotiate TLS. We assume the negotiation fails because type2.lit presents a self-signed certificate but type6.lit requires trusted federation relying on a common root CA.</p>
  1261. <p>Because the connection is unsuccessful, the type2.lit service returns a stanza error to juliet@type2.lit, which should be &timeout;.</p>
  1262. <example caption="Error Stanza"><![CDATA[
  1263. <iq from='chris@type6.lit'
  1264. id='t2_t6'
  1265. to='juliet@type2.lit/foo'
  1266. type='error'>
  1267. <error type='cancel'>
  1268. <remote-server-timeout
  1269. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  1270. </error>
  1271. </iq>
  1272. ]]></example>
  1273. </section2>
  1274. </section1>
  1275. <section1 topic='Connections from Type 3 Services' anchor='type3'>
  1276. <section2 topic='Type 3 to Type 1' anchor='type3-type1'>
  1277. <p>In this scenario, an XMPP user romeo@type3.lit attempts to send an XML stanza to citizen@type1.lit:</p>
  1278. <example caption="Test Stanza"><![CDATA[
  1279. <iq from='romeo@type3.lit/foo'
  1280. id='t3_t1'
  1281. to='citizen@type1.lit'
  1282. type='get'>
  1283. <ping xmlns='urn:xmpp:ping'/>
  1284. </iq>
  1285. ]]></example>
  1286. <p>Therefore the type3.lit service (which accepts verified connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type1.lit service (which supports verified connections only and does not have a certificate).</p>
  1287. <p>First, the type3.lit service sends an initial stream header to type1.lit.</p>
  1288. <example caption="Initial Stream Header"><![CDATA[
  1289. <stream:stream
  1290. xmlns='jabber:server'
  1291. xmlns:db='jabber:server:dialback'
  1292. xmlns:stream='http://etherx.jabber.lit/streams'
  1293. from='type3.lit'
  1294. to='type1.lit'
  1295. version='1.0'>
  1296. ]]></example>
  1297. <p>Next the type1.lit service sends a response stream header to type3.lit.</p>
  1298. <example caption="Response Stream Header"><![CDATA[
  1299. <stream:stream
  1300. xmlns='jabber:server'
  1301. xmlns:db='jabber:server:dialback'
  1302. xmlns:stream='http://etherx.jabber.lit/streams'
  1303. from='type1.lit'
  1304. id='idt3_t1o'
  1305. to='type3.lit'>
  1306. ]]></example>
  1307. <p>Because the type1.lit service does not support XMPP 1.0, it does not send stream features. Therefore the type3.lit attempts to complete server dialback verification.</p>
  1308. <example caption="Dialback Key"><![CDATA[
  1309. <db:result
  1310. from='type3.lit'
  1311. to='type1.lit'>
  1312. some-long-dialback-key
  1313. </db:result>
  1314. ]]></example>
  1315. <p>The type1.lit service then performs a DNS lookup on the type3.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type3.lit service.</p>
  1316. <example caption="Initial Stream Header"><![CDATA[
  1317. <stream:stream
  1318. xmlns='jabber:server'
  1319. xmlns:db='jabber:server:dialback'
  1320. xmlns:stream='http://etherx.jabber.lit/streams'
  1321. from='type1.lit'
  1322. to='type3.lit'>
  1323. ]]></example>
  1324. <p>The authoritative server for the type3.lit service then returns a response stream header.</p>
  1325. <example caption="Response Stream Header"><![CDATA[
  1326. <stream:stream
  1327. xmlns='jabber:server'
  1328. xmlns:db='jabber:server:dialback'
  1329. xmlns:stream='http://etherx.jabber.lit/streams'
  1330. from='type3.lit'
  1331. id='idt3_t1r'
  1332. to='type1.lit'
  1333. version='1.0'>
  1334. ]]></example>
  1335. <p>The type1.lit service then sends a dialback verification request to the authoritative server for the type3.lit domain.</p>
  1336. <example caption="Verification Request"><![CDATA[
  1337. <db:verify
  1338. from='type1.lit'
  1339. id='idt3_t1o'
  1340. to='type3.lit'>
  1341. some-long-dialback-key
  1342. </db:verify>
  1343. ]]></example>
  1344. <p>Here we assume that the authoritative server for the type3.lit domain notifies the type1.lit service that the key is valid.</p>
  1345. <example caption="Key is Valid"><![CDATA[
  1346. <db:verify
  1347. from='type3.lit'
  1348. id='idt3_t1o'
  1349. to='type1.lit'
  1350. type='valid'>
  1351. some-long-dialback-key
  1352. </db:verify>
  1353. ]]></example>
  1354. <p>The type1.lit service then returns a positive server dialback result to the originating server (i.e., type3.lit).</p>
  1355. <example caption="Server Dialback Result"><![CDATA[
  1356. <db:result
  1357. from='type1.lit'
  1358. to='type3.lit'
  1359. type='valid'>
  1360. some-long-dialback-key
  1361. </db:result>
  1362. ]]></example>
  1363. <p>Because the connection is successful, the type3.lit service routes the XML stanza from romeo@type3.lit to the type1.lit service.</p>
  1364. </section2>
  1365. <section2 topic='Type 3 to Type 2' anchor='type3-type2'>
  1366. <p>In this scenario, an XMPP user romeo@type3.lit attempts to send an XML stanza to juliet@type2.lit:</p>
  1367. <example caption="Test Stanza"><![CDATA[
  1368. <iq from='romeo@type3.lit/foo'
  1369. id='t3_t2'
  1370. to='juliet@type2.lit'
  1371. type='get'>
  1372. <ping xmlns='urn:xmpp:ping'/>
  1373. </iq>
  1374. ]]></example>
  1375. <p>Therefore the type3.lit service (which accepts verified connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type2.lit service (which supports verified connections and has a self-signed certificate).</p>
  1376. <p>First, the type3.lit service sends an initial stream header to type2.lit.</p>
  1377. <example caption="Initial Stream Header"><![CDATA[
  1378. <stream:stream
  1379. xmlns='jabber:server'
  1380. xmlns:db='jabber:server:dialback'
  1381. xmlns:stream='http://etherx.jabber.lit/streams'
  1382. from='type3.lit'
  1383. to='type2.lit'
  1384. version='1.0'>
  1385. ]]></example>
  1386. <p>Next the type2.lit service sends a response stream header to type3.lit.</p>
  1387. <example caption="Response Stream Header"><![CDATA[
  1388. <stream:stream
  1389. xmlns='jabber:server'
  1390. xmlns:db='jabber:server:dialback'
  1391. xmlns:stream='http://etherx.jabber.lit/streams'
  1392. from='type2.lit'
  1393. id='idt3_t2o'
  1394. to='type3.lit'>
  1395. ]]></example>
  1396. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features.</p>
  1397. <example caption="Stream Features"><![CDATA[
  1398. <stream:features>
  1399. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1400. <dialback xmlns='urn:xmpp:features:dialback'/>
  1401. </stream:features>
  1402. ]]></example>
  1403. <p>We assume that type2.lit does not attempt STARTTLS negotiation but instead attempts server dialback for weak identity verification.</p>
  1404. <example caption="Dialback Key"><![CDATA[
  1405. <db:result
  1406. from='type3.lit'
  1407. to='type2.lit'>
  1408. some-long-dialback-key
  1409. </db:result>
  1410. ]]></example>
  1411. <p>The type2.lit service then performs a DNS lookup on the type3.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type3.lit service.</p>
  1412. <example caption="Initial Stream Header"><![CDATA[
  1413. <stream:stream
  1414. xmlns='jabber:server'
  1415. xmlns:db='jabber:server:dialback'
  1416. xmlns:stream='http://etherx.jabber.lit/streams'
  1417. from='type2.lit'
  1418. to='type3.lit'>
  1419. ]]></example>
  1420. <p>The authoritative server for the type3.lit service then returns a response stream header.</p>
  1421. <example caption="Response Stream Header"><![CDATA[
  1422. <stream:stream
  1423. xmlns='jabber:server'
  1424. xmlns:db='jabber:server:dialback'
  1425. xmlns:stream='http://etherx.jabber.lit/streams'
  1426. from='type3.lit'
  1427. id='idt3_t2r'
  1428. to='type2.lit'
  1429. version='1.0'>
  1430. ]]></example>
  1431. <p>The type2.lit service then sends a dialback verification request to the authoritative server for the type3.lit domain.</p>
  1432. <example caption="Verification Request"><![CDATA[
  1433. <db:verify
  1434. from='type2.lit'
  1435. id='idt3_t2o'
  1436. to='type3.lit'>
  1437. some-long-dialback-key
  1438. </db:verify>
  1439. ]]></example>
  1440. <p>Here we assume that the authoritative server for the type3.lit domain notifies the type2.lit service that the key is valid.</p>
  1441. <example caption="Key is Valid"><![CDATA[
  1442. <db:verify
  1443. from='type3.lit'
  1444. id='idt3_t1o'
  1445. to='type2.lit'
  1446. type='valid'>
  1447. some-long-dialback-key
  1448. </db:verify>
  1449. ]]></example>
  1450. <p>The type2.lit service then returns a positive server dialback result to the originating server (i.e., type3.lit).</p>
  1451. <example caption="Server Dialback Result"><![CDATA[
  1452. <db:result
  1453. from='type2.lit'
  1454. to='type3.lit'
  1455. type='valid'>
  1456. some-long-dialback-key
  1457. </db:result>
  1458. ]]></example>
  1459. <p>Because the connection is successful, the type3.lit service routes the XML stanza from romeo@type3.lit to the type2.lit service.</p>
  1460. </section2>
  1461. <section2 topic='Type 3 to Type 3' anchor='type3-type3'>
  1462. <p>In this scenario, an XMPP user romeo@type3.lit attempts to send an XML stanza to user@example.lit:</p>
  1463. <example caption="Test Stanza"><![CDATA[
  1464. <iq from='romeo@type3.lit/foo'
  1465. id='t3_t3'
  1466. to='user@example.lit'
  1467. type='get'>
  1468. <ping xmlns='urn:xmpp:ping'/>
  1469. </iq>
  1470. ]]></example>
  1471. <p>Therefore the type3.lit service (which accepts verified connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the example.lit service (which also supports verified connections and has a CA-issued certificate).</p>
  1472. <p>First, the type3.lit service sends an initial stream header to example.lit.</p>
  1473. <example caption="Initial Stream Header"><![CDATA[
  1474. <stream:stream
  1475. xmlns='jabber:server'
  1476. xmlns:db='jabber:server:dialback'
  1477. xmlns:stream='http://etherx.jabber.lit/streams'
  1478. from='type3.lit'
  1479. to='example.lit'
  1480. version='1.0'>
  1481. ]]></example>
  1482. <p>Next the example.lit service sends a response stream header to type3.lit.</p>
  1483. <example caption="Response Stream Header"><![CDATA[
  1484. <stream:stream
  1485. xmlns='jabber:server'
  1486. xmlns:db='jabber:server:dialback'
  1487. xmlns:stream='http://etherx.jabber.lit/streams'
  1488. from='example.lit'
  1489. id='idt3_t3o'
  1490. to='type3.lit'>
  1491. ]]></example>
  1492. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features.</p>
  1493. <example caption="Stream Features"><![CDATA[
  1494. <stream:features>
  1495. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1496. <dialback xmlns='urn:xmpp:features:dialback'/>
  1497. </stream:features>
  1498. ]]></example>
  1499. <p>We assume that example.lit does not attempt STARTTLS negotiation but instead attempts server dialback for weak identity verification.</p>
  1500. <example caption="Dialback Key"><![CDATA[
  1501. <db:result
  1502. from='type3.lit'
  1503. to='example.lit'>
  1504. some-long-dialback-key
  1505. </db:result>
  1506. ]]></example>
  1507. <p>The example.lit service then performs a DNS lookup on the type3.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type3.lit service.</p>
  1508. <example caption="Initial Stream Header"><![CDATA[
  1509. <stream:stream
  1510. xmlns='jabber:server'
  1511. xmlns:db='jabber:server:dialback'
  1512. xmlns:stream='http://etherx.jabber.lit/streams'
  1513. from='example.lit'
  1514. to='type3.lit'>
  1515. ]]></example>
  1516. <p>The authoritative server for the type3.lit service then returns a response stream header.</p>
  1517. <example caption="Response Stream Header"><![CDATA[
  1518. <stream:stream
  1519. xmlns='jabber:server'
  1520. xmlns:db='jabber:server:dialback'
  1521. xmlns:stream='http://etherx.jabber.lit/streams'
  1522. from='type3.lit'
  1523. id='idt3_t3r'
  1524. to='example.lit'
  1525. version='1.0'>
  1526. ]]></example>
  1527. <p>The example.lit service then sends a dialback verification request to the authoritative server for the type3.lit domain.</p>
  1528. <example caption="Verification Request"><![CDATA[
  1529. <db:verify
  1530. from='example.lit'
  1531. id='idt3_t3o'
  1532. to='type3.lit'>
  1533. some-long-dialback-key
  1534. </db:verify>
  1535. ]]></example>
  1536. <p>Here we assume that the authoritative server for the type3.lit domain notifies the example.lit service that the key is valid.</p>
  1537. <example caption="Key is Valid"><![CDATA[
  1538. <db:verify
  1539. from='type3.lit'
  1540. id='idt3_t1o'
  1541. to='example.lit'
  1542. type='valid'>
  1543. some-long-dialback-key
  1544. </db:verify>
  1545. ]]></example>
  1546. <p>The example.lit service then returns a positive server dialback result to the originating server (i.e., type3.lit).</p>
  1547. <example caption="Server Dialback Result"><![CDATA[
  1548. <db:result
  1549. from='example.lit'
  1550. to='type3.lit'
  1551. type='valid'>
  1552. some-long-dialback-key
  1553. </db:result>
  1554. ]]></example>
  1555. <p>Because the connection is successful, the type3.lit service routes the XML stanza from romeo@type3.lit to the example.lit service.</p>
  1556. </section2>
  1557. <section2 topic='Type 3 to Type 4' anchor='type3-type4'>
  1558. <p>In this scenario, an XMPP user romeo@type3.lit attempts to send an XML stanza to hamlet@type4.lit:</p>
  1559. <example caption="Test Stanza"><![CDATA[
  1560. <iq from='romeo@type3.lit/foo'
  1561. id='t3_t4'
  1562. to='hamlet@type4.lit'
  1563. type='get'>
  1564. <ping xmlns='urn:xmpp:ping'/>
  1565. </iq>
  1566. ]]></example>
  1567. <p>Therefore the type3.lit service (which accepts verified connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type4.lit service (which also supports verified connections and has a CA-issued certificate).</p>
  1568. <p>First, the type3.lit service sends an initial stream header to type4.lit.</p>
  1569. <example caption="Initial Stream Header"><![CDATA[
  1570. <stream:stream
  1571. xmlns='jabber:server'
  1572. xmlns:db='jabber:server:dialback'
  1573. xmlns:stream='http://etherx.jabber.lit/streams'
  1574. from='type3.lit'
  1575. to='type4.lit'
  1576. version='1.0'>
  1577. ]]></example>
  1578. <p>Next the type4.lit service sends a response stream header to type3.lit.</p>
  1579. <example caption="Response Stream Header"><![CDATA[
  1580. <stream:stream
  1581. xmlns='jabber:server'
  1582. xmlns:db='jabber:server:dialback'
  1583. xmlns:stream='http://etherx.jabber.lit/streams'
  1584. from='type4.lit'
  1585. id='idt3_t4o'
  1586. to='type3.lit'>
  1587. ]]></example>
  1588. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  1589. <example caption="Stream Features"><![CDATA[
  1590. <stream:features>
  1591. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  1592. <required/>
  1593. </starttls>
  1594. <dialback xmlns='urn:xmpp:features:dialback'/>
  1595. </stream:features>
  1596. ]]></example>
  1597. <p>Because type4.lit requires encryption, type3.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  1598. <example caption="STARTTLS Request"><![CDATA[
  1599. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1600. ]]></example>
  1601. <example caption="STARTTLS Response"><![CDATA[
  1602. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1603. ]]></example>
  1604. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  1605. <p>The type3.lit service then opens a new stream over the encrypted connection.</p>
  1606. <example caption="Initial Stream Header"><![CDATA[
  1607. <stream:stream
  1608. xmlns='jabber:server'
  1609. xmlns:db='jabber:server:dialback'
  1610. xmlns:stream='http://etherx.jabber.lit/streams'
  1611. from='type3.lit'
  1612. to='type4.lit'
  1613. version='1.0'>
  1614. ]]></example>
  1615. <p>Next the type4.lit service sends a response stream header to type3.lit.</p>
  1616. <example caption="Response Stream Header"><![CDATA[
  1617. <stream:stream
  1618. xmlns='jabber:server'
  1619. xmlns:db='jabber:server:dialback'
  1620. xmlns:stream='http://etherx.jabber.lit/streams'
  1621. from='type4.lit'
  1622. id='idt3_t4o2'
  1623. to='type3.lit'>
  1624. ]]></example>
  1625. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  1626. <example caption="Stream Features"><![CDATA[
  1627. <stream:features>
  1628. <dialback xmlns='urn:xmpp:features:dialback'>
  1629. <required/>
  1630. </dialback>
  1631. </stream:features>
  1632. ]]></example>
  1633. <p>Notice that type4.lit requires dialback here (perhaps because of some local service policy). Therefore type3.lit sends a dialback key to type4.lit.</p>
  1634. <example caption="Dialback Key"><![CDATA[
  1635. <db:result
  1636. from='type3.lit'
  1637. to='type4.lit'>
  1638. some-long-dialback-key
  1639. </db:result>
  1640. ]]></example>
  1641. <p>The type4.lit service then performs a DNS lookup on the type3.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type3.lit service.</p>
  1642. <example caption="Initial Stream Header"><![CDATA[
  1643. <stream:stream
  1644. xmlns='jabber:server'
  1645. xmlns:db='jabber:server:dialback'
  1646. xmlns:stream='http://etherx.jabber.lit/streams'
  1647. from='type4.lit'
  1648. to='type3.lit'>
  1649. ]]></example>
  1650. <p>The authoritative server for the type3.lit service then returns a response stream header.</p>
  1651. <example caption="Response Stream Header"><![CDATA[
  1652. <stream:stream
  1653. xmlns='jabber:server'
  1654. xmlns:db='jabber:server:dialback'
  1655. xmlns:stream='http://etherx.jabber.lit/streams'
  1656. from='type3.lit'
  1657. id='idt3_t4r'
  1658. to='type4.lit'
  1659. version='1.0'>
  1660. ]]></example>
  1661. <p>The type4.lit service then sends a dialback verification request to the authoritative server for the type3.lit domain.</p>
  1662. <example caption="Verification Request"><![CDATA[
  1663. <db:verify
  1664. from='type4.lit'
  1665. id='idt3_t4o'
  1666. to='type3.lit'>
  1667. some-long-dialback-key
  1668. </db:verify>
  1669. ]]></example>
  1670. <p>Here we assume that the authoritative server for the type3.lit domain notifies the type4.lit service that the key is valid.</p>
  1671. <example caption="Key is Valid"><![CDATA[
  1672. <db:verify
  1673. from='type3.lit'
  1674. id='idt3_t4o'
  1675. to='type4.lit'
  1676. type='valid'>
  1677. some-long-dialback-key
  1678. </db:verify>
  1679. ]]></example>
  1680. <p>The type4.lit service then returns a positive server dialback result to the originating server (i.e., type3.lit).</p>
  1681. <example caption="Server Dialback Result"><![CDATA[
  1682. <db:result
  1683. from='type4.lit'
  1684. to='type3.lit'
  1685. type='valid'>
  1686. some-long-dialback-key
  1687. </db:result>
  1688. ]]></example>
  1689. <p>Because the connection is successful, the type3.lit service routes the XML stanza from romeo@type3.lit to the type4.lit service.</p>
  1690. </section2>
  1691. <section2 topic='Type 3 to Type 5' anchor='type3-type5'>
  1692. <p>In this scenario, an XMPP user romeo@type3.lit attempts to send an XML stanza to bill@type5.lit:</p>
  1693. <example caption="Test Stanza"><![CDATA[
  1694. <iq from='romeo@type3.lit/foo'
  1695. id='t3_t5'
  1696. to='bill@type5.lit'
  1697. type='get'>
  1698. <ping xmlns='urn:xmpp:ping'/>
  1699. </iq>
  1700. ]]></example>
  1701. <p>Therefore the type3.lit service (which accepts verified connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type5.lit service (which also supports encrypted connections and has a CA-issued certificate).</p>
  1702. <p>First, the type3.lit service sends an initial stream header to type5.lit.</p>
  1703. <example caption="Initial Stream Header"><![CDATA[
  1704. <stream:stream
  1705. xmlns='jabber:server'
  1706. xmlns:db='jabber:server:dialback'
  1707. xmlns:stream='http://etherx.jabber.lit/streams'
  1708. from='type3.lit'
  1709. to='type5.lit'
  1710. version='1.0'>
  1711. ]]></example>
  1712. <p>Next the type5.lit service sends a response stream header to type3.lit.</p>
  1713. <example caption="Response Stream Header"><![CDATA[
  1714. <stream:stream
  1715. xmlns='jabber:server'
  1716. xmlns:db='jabber:server:dialback'
  1717. xmlns:stream='http://etherx.jabber.lit/streams'
  1718. from='type5.lit'
  1719. id='idt3_t5o'
  1720. to='type3.lit'>
  1721. ]]></example>
  1722. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features.</p>
  1723. <example caption="Stream Features"><![CDATA[
  1724. <stream:features>
  1725. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  1726. <required/>
  1727. </starttls>
  1728. <dialback xmlns='urn:xmpp:features:dialback'/>
  1729. </stream:features>
  1730. ]]></example>
  1731. <p>Because type5.lit requires encryption, type3.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  1732. <example caption="STARTTLS Request"><![CDATA[
  1733. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1734. ]]></example>
  1735. <example caption="STARTTLS Response"><![CDATA[
  1736. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1737. ]]></example>
  1738. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  1739. <p>The type3.lit service then opens a new stream over the encrypted connection.</p>
  1740. <example caption="Initial Stream Header"><![CDATA[
  1741. <stream:stream
  1742. xmlns='jabber:server'
  1743. xmlns:db='jabber:server:dialback'
  1744. xmlns:stream='http://etherx.jabber.lit/streams'
  1745. from='type3.lit'
  1746. to='type5.lit'
  1747. version='1.0'>
  1748. ]]></example>
  1749. <p>Next the type5.lit service sends a response stream header to type3.lit.</p>
  1750. <example caption="Response Stream Header"><![CDATA[
  1751. <stream:stream
  1752. xmlns='jabber:server'
  1753. xmlns:db='jabber:server:dialback'
  1754. xmlns:stream='http://etherx.jabber.lit/streams'
  1755. from='type5.lit'
  1756. id='idt3_t5o2'
  1757. to='type3.lit'>
  1758. ]]></example>
  1759. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features.</p>
  1760. <example caption="Stream Features"><![CDATA[
  1761. <stream:features>
  1762. <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  1763. <mechanism>EXTERNAL</mechanism>
  1764. <required/>
  1765. </mechanisms>
  1766. </stream:features>
  1767. ]]></example>
  1768. <p>Notice that type5.lit requires use of SASL EXTERNAL here (because the certificate presented by type3.lit was issued by a common root CA). Therefore type3.lit attempts to complete SASL negotiation.</p>
  1769. <example caption="SASL Mechanism Selection"><![CDATA[
  1770. <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
  1771. mechanism='EXTERNAL'/>dHlwZTMubGl0</auth>
  1772. ]]></example>
  1773. <p>The type5.lit service determines that the authorization identity provided by type3.lit matches the information in the presented certificate and therefore returns success.</p>
  1774. <example caption="SASL Success"><![CDATA[
  1775. <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
  1776. ]]></example>
  1777. <p>The type3.lit service then opens a new stream over the encrypted connection.</p>
  1778. <example caption="Initial Stream Header"><![CDATA[
  1779. <stream:stream
  1780. xmlns='jabber:server'
  1781. xmlns:db='jabber:server:dialback'
  1782. xmlns:stream='http://etherx.jabber.lit/streams'
  1783. from='type3.lit'
  1784. to='type5.lit'
  1785. version='1.0'>
  1786. ]]></example>
  1787. <p>Next the type5.lit service sends a response stream header to type3.lit.</p>
  1788. <example caption="Response Stream Header"><![CDATA[
  1789. <stream:stream
  1790. xmlns='jabber:server'
  1791. xmlns:db='jabber:server:dialback'
  1792. xmlns:stream='http://etherx.jabber.lit/streams'
  1793. from='type5.lit'
  1794. id='idt3_t5o3'
  1795. to='type3.lit'>
  1796. ]]></example>
  1797. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features (which in this case are empty).</p>
  1798. <example caption="Stream Features"><![CDATA[
  1799. <stream:features/>
  1800. ]]></example>
  1801. <p>Because the connection is successful, the type3.lit service routes the XML stanza from romeo@type3.lit to the type5.lit service.</p>
  1802. </section2>
  1803. <section2 topic='Type 3 to Type 6' anchor='type3-type6'>
  1804. <p>In this scenario, an XMPP user romeo@type3.lit attempts to send an XML stanza to chris@type6.lit:</p>
  1805. <example caption="Test Stanza"><![CDATA[
  1806. <iq from='romeo@type3.lit/foo'
  1807. id='t3_t6'
  1808. to='chris@type6.lit'
  1809. type='get'>
  1810. <ping xmlns='urn:xmpp:ping'/>
  1811. </iq>
  1812. ]]></example>
  1813. <p>Therefore the type3.lit service (which accepts verified connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type6.lit service (which requires trusted communications and has a CA-issued certificate).</p>
  1814. <p>First, the type3.lit service sends an initial stream header to type6.lit.</p>
  1815. <example caption="Initial Stream Header"><![CDATA[
  1816. <stream:stream
  1817. xmlns='jabber:server'
  1818. xmlns:db='jabber:server:dialback'
  1819. xmlns:stream='http://etherx.jabber.lit/streams'
  1820. from='type3.lit'
  1821. to='type6.lit'
  1822. version='1.0'>
  1823. ]]></example>
  1824. <p>Next the type6.lit service sends a response stream header to type3.lit.</p>
  1825. <example caption="Response Stream Header"><![CDATA[
  1826. <stream:stream
  1827. xmlns='jabber:server'
  1828. xmlns:db='jabber:server:dialback'
  1829. xmlns:stream='http://etherx.jabber.lit/streams'
  1830. from='type6.lit'
  1831. id='idt3_t6o'
  1832. to='type3.lit'>
  1833. ]]></example>
  1834. <p>Because the type6.lit service supports XMPP 1.0, it also sends stream features.</p>
  1835. <example caption="Stream Features"><![CDATA[
  1836. <stream:features>
  1837. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  1838. <required/>
  1839. </starttls>
  1840. <dialback xmlns='urn:xmpp:features:dialback'/>
  1841. </stream:features>
  1842. ]]></example>
  1843. <p>Because type6.lit requires encryption, type3.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  1844. <example caption="STARTTLS Request"><![CDATA[
  1845. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1846. ]]></example>
  1847. <example caption="STARTTLS Response"><![CDATA[
  1848. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  1849. ]]></example>
  1850. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  1851. <p>The type3.lit service then opens a new stream over the encrypted connection.</p>
  1852. <example caption="Initial Stream Header"><![CDATA[
  1853. <stream:stream
  1854. xmlns='jabber:server'
  1855. xmlns:db='jabber:server:dialback'
  1856. xmlns:stream='http://etherx.jabber.lit/streams'
  1857. from='type3.lit'
  1858. to='type6.lit'
  1859. version='1.0'>
  1860. ]]></example>
  1861. <p>Next the type6.lit service sends a response stream header to type3.lit.</p>
  1862. <example caption="Response Stream Header"><![CDATA[
  1863. <stream:stream
  1864. xmlns='jabber:server'
  1865. xmlns:db='jabber:server:dialback'
  1866. xmlns:stream='http://etherx.jabber.lit/streams'
  1867. from='type6.lit'
  1868. id='idt3_t6o2'
  1869. to='type3.lit'>
  1870. ]]></example>
  1871. <p>Because the type6.lit service supports XMPP 1.0, it also sends stream features.</p>
  1872. <example caption="Stream Features"><![CDATA[
  1873. <stream:features>
  1874. <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  1875. <mechanism>EXTERNAL</mechanism>
  1876. <required/>
  1877. </mechanisms>
  1878. </stream:features>
  1879. ]]></example>
  1880. <p>Notice that type6.lit requires use of SASL EXTERNAL here (because the certificate presented by type3.lit was issued by a common root CA). Therefore type3.lit attempts to complete SASL negotiation.</p>
  1881. <example caption="SASL Mechanism Selection"><![CDATA[
  1882. <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
  1883. mechanism='EXTERNAL'/>dHlwZTMubGl0</auth>
  1884. ]]></example>
  1885. <p>The type6.lit service determines that the authorization identity provided by type3.lit matches the information in the presented certificate and therefore returns success.</p>
  1886. <example caption="SASL Success"><![CDATA[
  1887. <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
  1888. ]]></example>
  1889. <p>The type3.lit service then opens a new stream over the encrypted connection.</p>
  1890. <example caption="Initial Stream Header"><![CDATA[
  1891. <stream:stream
  1892. xmlns='jabber:server'
  1893. xmlns:db='jabber:server:dialback'
  1894. xmlns:stream='http://etherx.jabber.lit/streams'
  1895. from='type3.lit'
  1896. to='type6.lit'
  1897. version='1.0'>
  1898. ]]></example>
  1899. <p>Next the type6.lit service sends a response stream header to type3.lit.</p>
  1900. <example caption="Response Stream Header"><![CDATA[
  1901. <stream:stream
  1902. xmlns='jabber:server'
  1903. xmlns:db='jabber:server:dialback'
  1904. xmlns:stream='http://etherx.jabber.lit/streams'
  1905. from='type6.lit'
  1906. id='idt3_t6o3'
  1907. to='type3.lit'>
  1908. ]]></example>
  1909. <p>Because the type6.lit service supports XMPP 1.0, it also sends stream features (which in this case are empty).</p>
  1910. <example caption="Stream Features"><![CDATA[
  1911. <stream:features/>
  1912. ]]></example>
  1913. <p>Because the connection is successful, the type3.lit service routes the XML stanza from romeo@type3.lit to the type6.lit service.</p>
  1914. </section2>
  1915. </section1>
  1916. <section1 topic='Connections from Type 4 Services' anchor='type4'>
  1917. <section2 topic='Type 4 to Type 1' anchor='type4-type1'>
  1918. <p>In this scenario, an XMPP user hamlet@type4.lit attempts to send an XML stanza to citizen@type1.lit:</p>
  1919. <example caption="Test Stanza"><![CDATA[
  1920. <iq from='hamlet@type4.lit/foo'
  1921. id='t4_t1'
  1922. to='citizen@type1.lit'
  1923. type='get'>
  1924. <ping xmlns='urn:xmpp:ping'/>
  1925. </iq>
  1926. ]]></example>
  1927. <p>Therefore the type4.lit service (which requires encrypted connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type1.lit service (which supports verified connections only and does not have a certificate).</p>
  1928. <p>First, the type4.lit service sends an initial stream header to type1.lit.</p>
  1929. <example caption="Initial Stream Header"><![CDATA[
  1930. <stream:stream
  1931. xmlns='jabber:server'
  1932. xmlns:db='jabber:server:dialback'
  1933. xmlns:stream='http://etherx.jabber.lit/streams'
  1934. from='type4.lit'
  1935. to='type1.lit'
  1936. version='1.0'>
  1937. ]]></example>
  1938. <p>Next the type1.lit service sends a response stream header to type4.lit.</p>
  1939. <example caption="Response Stream Header"><![CDATA[
  1940. <stream:stream
  1941. xmlns='jabber:server'
  1942. xmlns:db='jabber:server:dialback'
  1943. xmlns:stream='http://etherx.jabber.lit/streams'
  1944. from='type1.lit'
  1945. id='idt4_t1o'
  1946. to='type4.lit'>
  1947. ]]></example>
  1948. <p>Because the type1.lit service does not support XMPP 1.0, it does not send stream features. Because the type4.lit service requires encryption via TLS, it cannot proceed further with the stream negotiation and closes the stream.</p>
  1949. <example caption="Stream Close"><![CDATA[
  1950. </stream:stream>
  1951. ]]></example>
  1952. <p>The type1.lit service closes the stream as well.</p>
  1953. <example caption="Stream Close"><![CDATA[
  1954. </stream:stream>
  1955. ]]></example>
  1956. <p>Because the connection is unsuccessful, the type4.lit service returns a stanza error to hamlet@type4.lit, which should be &timeout;.</p>
  1957. <example caption="Error Stanza"><![CDATA[
  1958. <iq from='citizen@type1.lit'
  1959. id='t4_t1'
  1960. to='hamlet@type4.lit/foo'
  1961. type='error'>
  1962. <error type='cancel'>
  1963. <remote-server-timeout
  1964. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  1965. </error>
  1966. </iq>
  1967. ]]></example>
  1968. </section2>
  1969. <section2 topic='Type 4 to Type 2' anchor='type4-type2'>
  1970. <p>In this scenario, an XMPP user hamlet@type4.lit attempts to send an XML stanza to juliet@type2.lit:</p>
  1971. <example caption="Test Stanza"><![CDATA[
  1972. <iq from='hamlet@type4.lit/foo'
  1973. id='t4_t2'
  1974. to='juliet@type2.lit'
  1975. type='get'>
  1976. <ping xmlns='urn:xmpp:ping'/>
  1977. </iq>
  1978. ]]></example>
  1979. <p>Therefore the type4.lit service (which requires encrypted connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type2.lit service (which supports verified connections and has a self-signed certificate).</p>
  1980. <p>First, the type4.lit service sends an initial stream header to type2.lit.</p>
  1981. <example caption="Initial Stream Header"><![CDATA[
  1982. <stream:stream
  1983. xmlns='jabber:server'
  1984. xmlns:db='jabber:server:dialback'
  1985. xmlns:stream='http://etherx.jabber.lit/streams'
  1986. from='type4.lit'
  1987. to='type2.lit'
  1988. version='1.0'>
  1989. ]]></example>
  1990. <p>Next the type2.lit service sends a response stream header to type4.lit.</p>
  1991. <example caption="Response Stream Header"><![CDATA[
  1992. <stream:stream
  1993. xmlns='jabber:server'
  1994. xmlns:db='jabber:server:dialback'
  1995. xmlns:stream='http://etherx.jabber.lit/streams'
  1996. from='type2.lit'
  1997. id='idt4_t2o'
  1998. to='type4.lit'>
  1999. ]]></example>
  2000. <p>Because the type2.lit service supports XMPP 1.0, it also sends stream features.</p>
  2001. <example caption="Stream Features"><![CDATA[
  2002. <stream:features>
  2003. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2004. <dialback xmlns='urn:xmpp:features:dialback'/>
  2005. </stream:features>
  2006. ]]></example>
  2007. <p>Because the type4.lit service requires encryption, it attempts STARTTLS negotiation.</p>
  2008. <example caption="STARTTLS Request"><![CDATA[
  2009. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2010. ]]></example>
  2011. <example caption="STARTTLS Response"><![CDATA[
  2012. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2013. ]]></example>
  2014. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  2015. <p>The type4.lit service then opens a new stream over the encrypted connection.</p>
  2016. <example caption="Initial Stream Header"><![CDATA[
  2017. <stream:stream
  2018. xmlns='jabber:server'
  2019. xmlns:db='jabber:server:dialback'
  2020. xmlns:stream='http://etherx.jabber.lit/streams'
  2021. from='type4.lit'
  2022. to='type2.lit'
  2023. version='1.0'>
  2024. ]]></example>
  2025. <p>Next the type2.lit service sends a response stream header to type4.lit.</p>
  2026. <example caption="Response Stream Header"><![CDATA[
  2027. <stream:stream
  2028. xmlns='jabber:server'
  2029. xmlns:db='jabber:server:dialback'
  2030. xmlns:stream='http://etherx.jabber.lit/streams'
  2031. from='type2.lit'
  2032. id='idt4_t2o2'
  2033. to='type4.lit'>
  2034. ]]></example>
  2035. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  2036. <example caption="Stream Features"><![CDATA[
  2037. <stream:features>
  2038. <dialback xmlns='urn:xmpp:features:dialback'>
  2039. <required/>
  2040. </dialback>
  2041. </stream:features>
  2042. ]]></example>
  2043. <p>Notice that type2.lit requires dialback here (perhaps because of some local service policy). Therefore type4.lit sends a dialback key to type2.lit.</p>
  2044. <example caption="Dialback Key"><![CDATA[
  2045. <db:result
  2046. from='type4.lit'
  2047. to='type2.lit'>
  2048. some-long-dialback-key
  2049. </db:result>
  2050. ]]></example>
  2051. <p>The type2.lit service then performs a DNS lookup on the type4.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type4.lit service.</p>
  2052. <example caption="Initial Stream Header"><![CDATA[
  2053. <stream:stream
  2054. xmlns='jabber:server'
  2055. xmlns:db='jabber:server:dialback'
  2056. xmlns:stream='http://etherx.jabber.lit/streams'
  2057. from='type2.lit'
  2058. to='type4.lit'>
  2059. ]]></example>
  2060. <p>The authoritative server for the type4.lit service then returns a response stream header.</p>
  2061. <example caption="Response Stream Header"><![CDATA[
  2062. <stream:stream
  2063. xmlns='jabber:server'
  2064. xmlns:db='jabber:server:dialback'
  2065. xmlns:stream='http://etherx.jabber.lit/streams'
  2066. from='type4.lit'
  2067. id='idt4_t2r'
  2068. to='type2.lit'
  2069. version='1.0'>
  2070. ]]></example>
  2071. <p>The type2.lit service then sends a dialback verification request to the authoritative server for the type4.lit domain.</p>
  2072. <example caption="Verification Request"><![CDATA[
  2073. <db:verify
  2074. from='type2.lit'
  2075. id='idt4_t2o'
  2076. to='type4.lit'>
  2077. some-long-dialback-key
  2078. </db:verify>
  2079. ]]></example>
  2080. <p>Here we assume that the authoritative server for the type4.lit domain notifies the type2.lit service that the key is valid.</p>
  2081. <example caption="Key is Valid"><![CDATA[
  2082. <db:verify
  2083. from='type4.lit'
  2084. id='idt4_t2o'
  2085. to='type2.lit'
  2086. type='valid'>
  2087. some-long-dialback-key
  2088. </db:verify>
  2089. ]]></example>
  2090. <p>The type2.lit service then returns a positive server dialback result to the originating server (i.e., type4.lit).</p>
  2091. <example caption="Server Dialback Result"><![CDATA[
  2092. <db:result
  2093. from='type2.lit'
  2094. to='type4.lit'
  2095. type='valid'>
  2096. some-long-dialback-key
  2097. </db:result>
  2098. ]]></example>
  2099. <p>Because the connection is successful, the type4.lit service routes the XML stanza from hamlet@type4.lit to the type2.lit service.</p>
  2100. </section2>
  2101. <section2 topic='Type 4 to Type 3' anchor='type4-type3'>
  2102. <p>In this scenario, an XMPP user hamlet@type4.lit attempts to send an XML stanza to romeo@type3.lit:</p>
  2103. <example caption="Test Stanza"><![CDATA[
  2104. <iq from='hamlet@type4.lit/foo'
  2105. id='t4_t3'
  2106. to='romeo@type3.lit'
  2107. type='get'>
  2108. <ping xmlns='urn:xmpp:ping'/>
  2109. </iq>
  2110. ]]></example>
  2111. <p>Therefore the type4.lit service (which requires encrypted connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type3.lit service (which supports verified connections and has a CA-issued certificate).</p>
  2112. <p>First, the type4.lit service sends an initial stream header to type3.lit.</p>
  2113. <example caption="Initial Stream Header"><![CDATA[
  2114. <stream:stream
  2115. xmlns='jabber:server'
  2116. xmlns:db='jabber:server:dialback'
  2117. xmlns:stream='http://etherx.jabber.lit/streams'
  2118. from='type4.lit'
  2119. to='type3.lit'
  2120. version='1.0'>
  2121. ]]></example>
  2122. <p>Next the type3.lit service sends a response stream header to type4.lit.</p>
  2123. <example caption="Response Stream Header"><![CDATA[
  2124. <stream:stream
  2125. xmlns='jabber:server'
  2126. xmlns:db='jabber:server:dialback'
  2127. xmlns:stream='http://etherx.jabber.lit/streams'
  2128. from='type3.lit'
  2129. id='idt4_t3o'
  2130. to='type4.lit'>
  2131. ]]></example>
  2132. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features.</p>
  2133. <example caption="Stream Features"><![CDATA[
  2134. <stream:features>
  2135. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2136. <dialback xmlns='urn:xmpp:features:dialback'/>
  2137. </stream:features>
  2138. ]]></example>
  2139. <p>Because the type4.lit service requires encryption, it attempts STARTTLS negotiation.</p>
  2140. <example caption="STARTTLS Request"><![CDATA[
  2141. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2142. ]]></example>
  2143. <example caption="STARTTLS Response"><![CDATA[
  2144. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2145. ]]></example>
  2146. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  2147. <p>The type4.lit service then opens a new stream over the encrypted connection.</p>
  2148. <example caption="Initial Stream Header"><![CDATA[
  2149. <stream:stream
  2150. xmlns='jabber:server'
  2151. xmlns:db='jabber:server:dialback'
  2152. xmlns:stream='http://etherx.jabber.lit/streams'
  2153. from='type4.lit'
  2154. to='type3.lit'
  2155. version='1.0'>
  2156. ]]></example>
  2157. <p>Next the type3.lit service sends a response stream header to type4.lit.</p>
  2158. <example caption="Response Stream Header"><![CDATA[
  2159. <stream:stream
  2160. xmlns='jabber:server'
  2161. xmlns:db='jabber:server:dialback'
  2162. xmlns:stream='http://etherx.jabber.lit/streams'
  2163. from='type3.lit'
  2164. id='idt4_t3o2'
  2165. to='type4.lit'>
  2166. ]]></example>
  2167. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  2168. <example caption="Stream Features"><![CDATA[
  2169. <stream:features>
  2170. <dialback xmlns='urn:xmpp:features:dialback'>
  2171. <required/>
  2172. </dialback>
  2173. </stream:features>
  2174. ]]></example>
  2175. <p>Notice that type3.lit requires dialback here (perhaps because of some local service policy). Therefore type4.lit sends a dialback key to type3.lit.</p>
  2176. <example caption="Dialback Key"><![CDATA[
  2177. <db:result
  2178. from='type4.lit'
  2179. to='type3.lit'>
  2180. some-long-dialback-key
  2181. </db:result>
  2182. ]]></example>
  2183. <p>The type3.lit service then performs a DNS lookup on the type4.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type4.lit service.</p>
  2184. <example caption="Initial Stream Header"><![CDATA[
  2185. <stream:stream
  2186. xmlns='jabber:server'
  2187. xmlns:db='jabber:server:dialback'
  2188. xmlns:stream='http://etherx.jabber.lit/streams'
  2189. from='type3.lit'
  2190. to='type4.lit'>
  2191. ]]></example>
  2192. <p>The authoritative server for the type4.lit service then returns a response stream header.</p>
  2193. <example caption="Response Stream Header"><![CDATA[
  2194. <stream:stream
  2195. xmlns='jabber:server'
  2196. xmlns:db='jabber:server:dialback'
  2197. xmlns:stream='http://etherx.jabber.lit/streams'
  2198. from='type4.lit'
  2199. id='idt4_t3r'
  2200. to='type3.lit'
  2201. version='1.0'>
  2202. ]]></example>
  2203. <p>The type3.lit service then sends a dialback verification request to the authoritative server for the type4.lit domain.</p>
  2204. <example caption="Verification Request"><![CDATA[
  2205. <db:verify
  2206. from='type3.lit'
  2207. id='idt4_t3o'
  2208. to='type4.lit'>
  2209. some-long-dialback-key
  2210. </db:verify>
  2211. ]]></example>
  2212. <p>Here we assume that the authoritative server for the type4.lit domain notifies the type3.lit service that the key is valid.</p>
  2213. <example caption="Key is Valid"><![CDATA[
  2214. <db:verify
  2215. from='type4.lit'
  2216. id='idt4_t3o'
  2217. to='type3.lit'
  2218. type='valid'>
  2219. some-long-dialback-key
  2220. </db:verify>
  2221. ]]></example>
  2222. <p>The type3.lit service then returns a positive server dialback result to the originating server (i.e., type4.lit).</p>
  2223. <example caption="Server Dialback Result"><![CDATA[
  2224. <db:result
  2225. from='type3.lit'
  2226. to='type4.lit'
  2227. type='valid'>
  2228. some-long-dialback-key
  2229. </db:result>
  2230. ]]></example>
  2231. <p>Because the connection is successful, the type4.lit service routes the XML stanza from hamlet@type4.lit to the type3.lit service.</p>
  2232. </section2>
  2233. <section2 topic='Type 4 to Type 4' anchor='type4-type4'>
  2234. <p>In this scenario, an XMPP user hamlet@type4.lit attempts to send an XML stanza to user@example.lit:</p>
  2235. <example caption="Test Stanza"><![CDATA[
  2236. <iq from='hamlet@type4.lit/foo'
  2237. id='t4_t4'
  2238. to='user@example.lit'
  2239. type='get'>
  2240. <ping xmlns='urn:xmpp:ping'/>
  2241. </iq>
  2242. ]]></example>
  2243. <p>Therefore the type4.lit service (which requires encrypted connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the example.lit service (which also requires encrypted connections and has a self-signed certificate).</p>
  2244. <p>First, the type4.lit service sends an initial stream header to example.lit.</p>
  2245. <example caption="Initial Stream Header"><![CDATA[
  2246. <stream:stream
  2247. xmlns='jabber:server'
  2248. xmlns:db='jabber:server:dialback'
  2249. xmlns:stream='http://etherx.jabber.lit/streams'
  2250. from='type4.lit'
  2251. to='example.lit'
  2252. version='1.0'>
  2253. ]]></example>
  2254. <p>Next the example.lit service sends a response stream header to type4.lit.</p>
  2255. <example caption="Response Stream Header"><![CDATA[
  2256. <stream:stream
  2257. xmlns='jabber:server'
  2258. xmlns:db='jabber:server:dialback'
  2259. xmlns:stream='http://etherx.jabber.lit/streams'
  2260. from='example.lit'
  2261. id='idt4_t4o'
  2262. to='type4.lit'>
  2263. ]]></example>
  2264. <p>Because the example.lit service supports XMPP 1.0, it also sends stream features.</p>
  2265. <example caption="Stream Features"><![CDATA[
  2266. <stream:features>
  2267. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2268. <dialback xmlns='urn:xmpp:features:dialback'/>
  2269. </stream:features>
  2270. ]]></example>
  2271. <p>Because the type4.lit service requires encryption, it attempts STARTTLS negotiation.</p>
  2272. <example caption="STARTTLS Request"><![CDATA[
  2273. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2274. ]]></example>
  2275. <example caption="STARTTLS Response"><![CDATA[
  2276. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2277. ]]></example>
  2278. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  2279. <p>The type4.lit service then opens a new stream over the encrypted connection.</p>
  2280. <example caption="Initial Stream Header"><![CDATA[
  2281. <stream:stream
  2282. xmlns='jabber:server'
  2283. xmlns:db='jabber:server:dialback'
  2284. xmlns:stream='http://etherx.jabber.lit/streams'
  2285. from='type4.lit'
  2286. to='example.lit'
  2287. version='1.0'>
  2288. ]]></example>
  2289. <p>Next the example.lit service sends a response stream header to type4.lit.</p>
  2290. <example caption="Response Stream Header"><![CDATA[
  2291. <stream:stream
  2292. xmlns='jabber:server'
  2293. xmlns:db='jabber:server:dialback'
  2294. xmlns:stream='http://etherx.jabber.lit/streams'
  2295. from='example.lit'
  2296. id='idt4_t4o2'
  2297. to='type4.lit'>
  2298. ]]></example>
  2299. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  2300. <example caption="Stream Features"><![CDATA[
  2301. <stream:features>
  2302. <dialback xmlns='urn:xmpp:features:dialback'>
  2303. <required/>
  2304. </dialback>
  2305. </stream:features>
  2306. ]]></example>
  2307. <p>Notice that example.lit requires dialback here (perhaps because of some local service policy). Therefore type4.lit sends a dialback key to example.lit.</p>
  2308. <example caption="Dialback Key"><![CDATA[
  2309. <db:result
  2310. from='type4.lit'
  2311. to='example.lit'>
  2312. some-long-dialback-key
  2313. </db:result>
  2314. ]]></example>
  2315. <p>The example.lit service then performs a DNS lookup on the type4.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type4.lit service.</p>
  2316. <example caption="Initial Stream Header"><![CDATA[
  2317. <stream:stream
  2318. xmlns='jabber:server'
  2319. xmlns:db='jabber:server:dialback'
  2320. xmlns:stream='http://etherx.jabber.lit/streams'
  2321. from='example.lit'
  2322. to='type4.lit'>
  2323. ]]></example>
  2324. <p>The authoritative server for the type4.lit service then returns a response stream header.</p>
  2325. <example caption="Response Stream Header"><![CDATA[
  2326. <stream:stream
  2327. xmlns='jabber:server'
  2328. xmlns:db='jabber:server:dialback'
  2329. xmlns:stream='http://etherx.jabber.lit/streams'
  2330. from='type4.lit'
  2331. id='idt4_t4r'
  2332. to='example.lit'
  2333. version='1.0'>
  2334. ]]></example>
  2335. <p>The example.lit service then sends a dialback verification request to the authoritative server for the type4.lit domain.</p>
  2336. <example caption="Verification Request"><![CDATA[
  2337. <db:verify
  2338. from='example.lit'
  2339. id='idt4_t4o'
  2340. to='type4.lit'>
  2341. some-long-dialback-key
  2342. </db:verify>
  2343. ]]></example>
  2344. <p>Here we assume that the authoritative server for the type4.lit domain notifies the example.lit service that the key is valid.</p>
  2345. <example caption="Key is Valid"><![CDATA[
  2346. <db:verify
  2347. from='type4.lit'
  2348. id='idt4_t4o'
  2349. to='example.lit'
  2350. type='valid'>
  2351. some-long-dialback-key
  2352. </db:verify>
  2353. ]]></example>
  2354. <p>The example.lit service then returns a positive server dialback result to the originating server (i.e., type4.lit).</p>
  2355. <example caption="Server Dialback Result"><![CDATA[
  2356. <db:result
  2357. from='example.lit'
  2358. to='type4.lit'
  2359. type='valid'>
  2360. some-long-dialback-key
  2361. </db:result>
  2362. ]]></example>
  2363. <p>Because the connection is successful, the type4.lit service routes the XML stanza from hamlet@type4.lit to the example.lit service.</p>
  2364. </section2>
  2365. <section2 topic='Type 4 to Type 5' anchor='type4-type5'>
  2366. <p>In this scenario, an XMPP user hamlet@type4.lit attempts to send an XML stanza to bill@type5.lit:</p>
  2367. <example caption="Test Stanza"><![CDATA[
  2368. <iq from='hamlet@type4.lit/foo'
  2369. id='t4_t5'
  2370. to='user@type4.lit'
  2371. type='get'>
  2372. <ping xmlns='urn:xmpp:ping'/>
  2373. </iq>
  2374. ]]></example>
  2375. <p>Therefore the type4.lit service (which requires encrypted connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type3.lit service (which also requires encrypted connections and has a CA-issued certificate).</p>
  2376. <p>First, the type4.lit service sends an initial stream header to type5.lit.</p>
  2377. <example caption="Initial Stream Header"><![CDATA[
  2378. <stream:stream
  2379. xmlns='jabber:server'
  2380. xmlns:db='jabber:server:dialback'
  2381. xmlns:stream='http://etherx.jabber.lit/streams'
  2382. from='type4.lit'
  2383. to='type5.lit'
  2384. version='1.0'>
  2385. ]]></example>
  2386. <p>Next the type5.lit service sends a response stream header to type4.lit.</p>
  2387. <example caption="Response Stream Header"><![CDATA[
  2388. <stream:stream
  2389. xmlns='jabber:server'
  2390. xmlns:db='jabber:server:dialback'
  2391. xmlns:stream='http://etherx.jabber.lit/streams'
  2392. from='type5.lit'
  2393. id='idt4_t5o'
  2394. to='type4.lit'>
  2395. ]]></example>
  2396. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features.</p>
  2397. <example caption="Stream Features"><![CDATA[
  2398. <stream:features>
  2399. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2400. <dialback xmlns='urn:xmpp:features:dialback'/>
  2401. </stream:features>
  2402. ]]></example>
  2403. <p>Because the type4.lit service requires encryption, it attempts STARTTLS negotiation.</p>
  2404. <example caption="STARTTLS Request"><![CDATA[
  2405. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2406. ]]></example>
  2407. <example caption="STARTTLS Response"><![CDATA[
  2408. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2409. ]]></example>
  2410. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  2411. <p>The type4.lit service then opens a new stream over the encrypted connection.</p>
  2412. <example caption="Initial Stream Header"><![CDATA[
  2413. <stream:stream
  2414. xmlns='jabber:server'
  2415. xmlns:db='jabber:server:dialback'
  2416. xmlns:stream='http://etherx.jabber.lit/streams'
  2417. from='type4.lit'
  2418. to='type5.lit'
  2419. version='1.0'>
  2420. ]]></example>
  2421. <p>Next the type5.lit service sends a response stream header to type4.lit.</p>
  2422. <example caption="Response Stream Header"><![CDATA[
  2423. <stream:stream
  2424. xmlns='jabber:server'
  2425. xmlns:db='jabber:server:dialback'
  2426. xmlns:stream='http://etherx.jabber.lit/streams'
  2427. from='type5.lit'
  2428. id='idt4_t5o2'
  2429. to='type4.lit'>
  2430. ]]></example>
  2431. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  2432. <example caption="Stream Features"><![CDATA[
  2433. <stream:features>
  2434. <dialback xmlns='urn:xmpp:features:dialback'>
  2435. <required/>
  2436. </dialback>
  2437. </stream:features>
  2438. ]]></example>
  2439. <p>Notice that type5.lit requires dialback here (perhaps because of some local service policy). Therefore type4.lit sends a dialback key to type5.lit.</p>
  2440. <example caption="Dialback Key"><![CDATA[
  2441. <db:result
  2442. from='type4.lit'
  2443. to='type5.lit'>
  2444. some-long-dialback-key
  2445. </db:result>
  2446. ]]></example>
  2447. <p>The type5.lit service then performs a DNS lookup on the type4.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type4.lit service.</p>
  2448. <example caption="Initial Stream Header"><![CDATA[
  2449. <stream:stream
  2450. xmlns='jabber:server'
  2451. xmlns:db='jabber:server:dialback'
  2452. xmlns:stream='http://etherx.jabber.lit/streams'
  2453. from='type5.lit'
  2454. to='type4.lit'>
  2455. ]]></example>
  2456. <p>The authoritative server for the type4.lit service then returns a response stream header.</p>
  2457. <example caption="Response Stream Header"><![CDATA[
  2458. <stream:stream
  2459. xmlns='jabber:server'
  2460. xmlns:db='jabber:server:dialback'
  2461. xmlns:stream='http://etherx.jabber.lit/streams'
  2462. from='type4.lit'
  2463. id='idt4_t5r'
  2464. to='type5.lit'
  2465. version='1.0'>
  2466. ]]></example>
  2467. <p>The type5.lit service then sends a dialback verification request to the authoritative server for the type4.lit domain.</p>
  2468. <example caption="Verification Request"><![CDATA[
  2469. <db:verify
  2470. from='type5.lit'
  2471. id='idt4_t5o'
  2472. to='type4.lit'>
  2473. some-long-dialback-key
  2474. </db:verify>
  2475. ]]></example>
  2476. <p>Here we assume that the authoritative server for the type4.lit domain notifies the type5.lit service that the key is valid.</p>
  2477. <example caption="Key is Valid"><![CDATA[
  2478. <db:verify
  2479. from='type4.lit'
  2480. id='idt4_t5o'
  2481. to='type5.lit'
  2482. type='valid'>
  2483. some-long-dialback-key
  2484. </db:verify>
  2485. ]]></example>
  2486. <p>The type5.lit service then returns a positive server dialback result to the originating server (i.e., type4.lit).</p>
  2487. <example caption="Server Dialback Result"><![CDATA[
  2488. <db:result
  2489. from='type5.lit'
  2490. to='type4.lit'
  2491. type='valid'>
  2492. some-long-dialback-key
  2493. </db:result>
  2494. ]]></example>
  2495. <p>Because the connection is successful, the type4.lit service routes the XML stanza from hamlet@type4.lit to the type5.lit service.</p>
  2496. </section2>
  2497. <section2 topic='Type 4 to Type 6' anchor='type4-type6'>
  2498. <p>In this scenario, an XMPP user hamlet@type4.lit attempts to send an XML stanza to chris@type6.lit.</p>
  2499. <example caption="Test Stanza"><![CDATA[
  2500. <iq from='hamlet@type4.lit/foo'
  2501. id='t4_t6'
  2502. to='chris@type6.lit'
  2503. type='get'>
  2504. <ping xmlns='urn:xmpp:ping'/>
  2505. </iq>
  2506. ]]></example>
  2507. <p>Therefore the type4.lit service (which requires encrypted connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type6.lit service (which accepts only trusted connections, has a CA-issued certificate, and does not support Server Dialback).</p>
  2508. <p>First, the type4.lit service sends an initial stream header to type6.lit.</p>
  2509. <example caption="Initial Stream Header"><![CDATA[
  2510. <stream:stream
  2511. xmlns='jabber:server'
  2512. xmlns:db='jabber:server:dialback'
  2513. xmlns:stream='http://etherx.jabber.lit/streams'
  2514. from='type4.lit'
  2515. to='type6.lit'>
  2516. ]]></example>
  2517. <p>Next the type6.lit service sends a response stream header to type4.lit. Notice that the response stream header does not include the dialback namespace, since the type6.lit service does not support Server Dialback.</p>
  2518. <example caption="Response Stream Header"><![CDATA[
  2519. <stream:stream
  2520. xmlns='jabber:server'
  2521. xmlns:stream='http://etherx.jabber.lit/streams'
  2522. from='type6.lit'
  2523. id='idt4_t6o'
  2524. to='type4.lit'
  2525. version='1.0'>
  2526. ]]></example>
  2527. <p>The type6.lit service also sends stream features. Because the type6.lit service does not accept untrusted connections, it returns stream features with a notation that STARTTLS is required.</p>
  2528. <example caption="Stream Features"><![CDATA[
  2529. <stream:features>
  2530. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  2531. <required/>
  2532. </starttls>
  2533. </stream:features>
  2534. ]]></example>
  2535. <p>Because type6.lit requires encryption, type4.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  2536. <example caption="STARTTLS Request"><![CDATA[
  2537. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2538. ]]></example>
  2539. <example caption="STARTTLS Response"><![CDATA[
  2540. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2541. ]]></example>
  2542. <p>The servers then attempt negotiate TLS. We assume the negotiation fails because type4.lit presents a self-signed certificate but type6.lit requires trusted federation relying on a common root CA.</p>
  2543. <p>Because the connection is unsuccessful, the type4.lit service returns a stanza error to hamlet@type4.lit, which should be &timeout;.</p>
  2544. <example caption="Error Stanza"><![CDATA[
  2545. <iq from='chris@type6.lit'
  2546. id='t4_t6'
  2547. to='hamlet@type4.lit/foo'
  2548. type='error'>
  2549. <error type='cancel'>
  2550. <remote-server-timeout
  2551. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  2552. </error>
  2553. </iq>
  2554. ]]></example>
  2555. </section2>
  2556. </section1>
  2557. <section1 topic='Connections from Type 5 Services' anchor='type5'>
  2558. <section2 topic='Type 5 to Type 1' anchor='type5-type1'>
  2559. <p>In this scenario, an XMPP user bill@type5.lit attempts to send an XML stanza to citizen@type1.lit:</p>
  2560. <example caption="Test Stanza"><![CDATA[
  2561. <iq from='bill@type5.lit/foo'
  2562. id='t5_t1'
  2563. to='citizen@type1.lit'
  2564. type='get'>
  2565. <ping xmlns='urn:xmpp:ping'/>
  2566. </iq>
  2567. ]]></example>
  2568. <p>Therefore the type5.lit service (which requires encrypted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type1.lit service (which supports verified connections only and does not have a certificate).</p>
  2569. <p>First, the type5.lit service sends an initial stream header to type1.lit.</p>
  2570. <example caption="Initial Stream Header"><![CDATA[
  2571. <stream:stream
  2572. xmlns='jabber:server'
  2573. xmlns:db='jabber:server:dialback'
  2574. xmlns:stream='http://etherx.jabber.lit/streams'
  2575. from='type5.lit'
  2576. to='type1.lit'
  2577. version='1.0'>
  2578. ]]></example>
  2579. <p>Next the type1.lit service sends a response stream header to type5.lit.</p>
  2580. <example caption="Response Stream Header"><![CDATA[
  2581. <stream:stream
  2582. xmlns='jabber:server'
  2583. xmlns:db='jabber:server:dialback'
  2584. xmlns:stream='http://etherx.jabber.lit/streams'
  2585. from='type1.lit'
  2586. id='idt5_t1o'
  2587. to='type5.lit'>
  2588. ]]></example>
  2589. <p>Because the type1.lit service does not support XMPP 1.0, it does not send stream features. Because the type5.lit service requires encryption via TLS, it cannot proceed further with the stream negotiation and closes the stream.</p>
  2590. <example caption="Stream Close"><![CDATA[
  2591. </stream:stream>
  2592. ]]></example>
  2593. <p>The type1.lit service closes the stream as well.</p>
  2594. <example caption="Stream Close"><![CDATA[
  2595. </stream:stream>
  2596. ]]></example>
  2597. <p>Because the connection is unsuccessful, the type5.lit service returns a stanza error to hamlet@type5.lit, which should be &timeout;.</p>
  2598. <example caption="Error Stanza"><![CDATA[
  2599. <iq from='citizen@type1.lit'
  2600. id='t5_t1'
  2601. to='bill@type5.lit/foo'
  2602. type='error'>
  2603. <error type='cancel'>
  2604. <remote-server-timeout
  2605. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  2606. </error>
  2607. </iq>
  2608. ]]></example>
  2609. </section2>
  2610. <section2 topic='Type 5 to Type 2' anchor='type5-type2'>
  2611. <p>In this scenario, an XMPP user bill@type5.lit attempts to send an XML stanza to juliet@type2.lit:</p>
  2612. <example caption="Test Stanza"><![CDATA[
  2613. <iq from='bill@type5.lit/foo'
  2614. id='t5_t2'
  2615. to='juliet@type2.lit'
  2616. type='get'>
  2617. <ping xmlns='urn:xmpp:ping'/>
  2618. </iq>
  2619. ]]></example>
  2620. <p>Therefore the type5.lit service (which requires encrypted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type2.lit service (which supports verified connections and has a self-signed certificate).</p>
  2621. <p>First, the type5.lit service sends an initial stream header to type2.lit.</p>
  2622. <example caption="Initial Stream Header"><![CDATA[
  2623. <stream:stream
  2624. xmlns='jabber:server'
  2625. xmlns:db='jabber:server:dialback'
  2626. xmlns:stream='http://etherx.jabber.lit/streams'
  2627. from='type5.lit'
  2628. to='type2.lit'
  2629. version='1.0'>
  2630. ]]></example>
  2631. <p>Next the type2.lit service sends a response stream header to type5.lit.</p>
  2632. <example caption="Response Stream Header"><![CDATA[
  2633. <stream:stream
  2634. xmlns='jabber:server'
  2635. xmlns:db='jabber:server:dialback'
  2636. xmlns:stream='http://etherx.jabber.lit/streams'
  2637. from='type2.lit'
  2638. id='idt5_t2o'
  2639. to='type5.lit'>
  2640. ]]></example>
  2641. <p>Because the type2.lit service supports XMPP 1.0, it also sends stream features.</p>
  2642. <example caption="Stream Features"><![CDATA[
  2643. <stream:features>
  2644. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2645. <dialback xmlns='urn:xmpp:features:dialback'/>
  2646. </stream:features>
  2647. ]]></example>
  2648. <p>Because the type5.lit service requires encryption, it attempts STARTTLS negotiation.</p>
  2649. <example caption="STARTTLS Request"><![CDATA[
  2650. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2651. ]]></example>
  2652. <example caption="STARTTLS Response"><![CDATA[
  2653. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2654. ]]></example>
  2655. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  2656. <p>The type5.lit service then opens a new stream over the encrypted connection.</p>
  2657. <example caption="Initial Stream Header"><![CDATA[
  2658. <stream:stream
  2659. xmlns='jabber:server'
  2660. xmlns:db='jabber:server:dialback'
  2661. xmlns:stream='http://etherx.jabber.lit/streams'
  2662. from='type5.lit'
  2663. to='type2.lit'
  2664. version='1.0'>
  2665. ]]></example>
  2666. <p>Next the type2.lit service sends a response stream header to type5.lit.</p>
  2667. <example caption="Response Stream Header"><![CDATA[
  2668. <stream:stream
  2669. xmlns='jabber:server'
  2670. xmlns:db='jabber:server:dialback'
  2671. xmlns:stream='http://etherx.jabber.lit/streams'
  2672. from='type2.lit'
  2673. id='idt5_t2o2'
  2674. to='type5.lit'>
  2675. ]]></example>
  2676. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features.</p>
  2677. <example caption="Stream Features"><![CDATA[
  2678. <stream:features>
  2679. <dialback xmlns='urn:xmpp:features:dialback'>
  2680. <required/>
  2681. </dialback>
  2682. </stream:features>
  2683. ]]></example>
  2684. <p>Notice that type2.lit requires dialback here (perhaps because of some local service policy). Therefore type5.lit sends a dialback key to type2.lit.</p>
  2685. <example caption="Dialback Key"><![CDATA[
  2686. <db:result
  2687. from='type5.lit'
  2688. to='type2.lit'>
  2689. some-long-dialback-key
  2690. </db:result>
  2691. ]]></example>
  2692. <p>The type2.lit service then performs a DNS lookup on the type5.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type5.lit service.</p>
  2693. <example caption="Initial Stream Header"><![CDATA[
  2694. <stream:stream
  2695. xmlns='jabber:server'
  2696. xmlns:db='jabber:server:dialback'
  2697. xmlns:stream='http://etherx.jabber.lit/streams'
  2698. from='type2.lit'
  2699. to='type5.lit'>
  2700. ]]></example>
  2701. <p>The authoritative server for the type5.lit service then returns a response stream header.</p>
  2702. <example caption="Response Stream Header"><![CDATA[
  2703. <stream:stream
  2704. xmlns='jabber:server'
  2705. xmlns:db='jabber:server:dialback'
  2706. xmlns:stream='http://etherx.jabber.lit/streams'
  2707. from='type5.lit'
  2708. id='idt5_t2r'
  2709. to='type2.lit'
  2710. version='1.0'>
  2711. ]]></example>
  2712. <p>The type2.lit service then sends a dialback verification request to the authoritative server for the type5.lit domain.</p>
  2713. <example caption="Verification Request"><![CDATA[
  2714. <db:verify
  2715. from='type2.lit'
  2716. id='idt5_t2o'
  2717. to='type5.lit'>
  2718. some-long-dialback-key
  2719. </db:verify>
  2720. ]]></example>
  2721. <p>Here we assume that the authoritative server for the type5.lit domain notifies the type2.lit service that the key is valid.</p>
  2722. <example caption="Key is Valid"><![CDATA[
  2723. <db:verify
  2724. from='type5.lit'
  2725. id='idt5_t2o'
  2726. to='type2.lit'
  2727. type='valid'>
  2728. some-long-dialback-key
  2729. </db:verify>
  2730. ]]></example>
  2731. <p>The type2.lit service then returns a positive server dialback result to the originating server (i.e., type5.lit).</p>
  2732. <example caption="Server Dialback Result"><![CDATA[
  2733. <db:result
  2734. from='type2.lit'
  2735. to='type5.lit'
  2736. type='valid'>
  2737. some-long-dialback-key
  2738. </db:result>
  2739. ]]></example>
  2740. <p>Because the connection is successful, the type5.lit service routes the XML stanza from hamlet@type4.lit to the type2.lit service.</p>
  2741. </section2>
  2742. <section2 topic='Type 5 to Type 3' anchor='type5-type3'>
  2743. <p>In this scenario, an XMPP user bill@type5.lit attempts to send an XML stanza to romeo@type3.lit:</p>
  2744. <example caption="Test Stanza"><![CDATA[
  2745. <iq from='bill@type5.lit/foo'
  2746. id='t5_t3'
  2747. to='romeo@type3.lit'
  2748. type='get'>
  2749. <ping xmlns='urn:xmpp:ping'/>
  2750. </iq>
  2751. ]]></example>
  2752. <p>Therefore the type5.lit service (which requires encrypted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type3.lit service (which accepts verified connections and has a CA-issued certificate).</p>
  2753. <p>First, the type5.lit service sends an initial stream header to type3.lit.</p>
  2754. <example caption="Initial Stream Header"><![CDATA[
  2755. <stream:stream
  2756. xmlns='jabber:server'
  2757. xmlns:db='jabber:server:dialback'
  2758. xmlns:stream='http://etherx.jabber.lit/streams'
  2759. from='type5.lit'
  2760. to='type3.lit'
  2761. version='1.0'>
  2762. ]]></example>
  2763. <p>Next the type3.lit service sends a response stream header to type5.lit.</p>
  2764. <example caption="Response Stream Header"><![CDATA[
  2765. <stream:stream
  2766. xmlns='jabber:server'
  2767. xmlns:db='jabber:server:dialback'
  2768. xmlns:stream='http://etherx.jabber.lit/streams'
  2769. from='type3.lit'
  2770. id='idt5_t3o'
  2771. to='type5.lit'>
  2772. ]]></example>
  2773. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features.</p>
  2774. <example caption="Stream Features"><![CDATA[
  2775. <stream:features>
  2776. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2777. <dialback xmlns='urn:xmpp:features:dialback'/>
  2778. </stream:features>
  2779. ]]></example>
  2780. <p>Because type3.lit advertises encryption and type5.lit requires encryption, type5.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  2781. <example caption="STARTTLS Request"><![CDATA[
  2782. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2783. ]]></example>
  2784. <example caption="STARTTLS Response"><![CDATA[
  2785. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2786. ]]></example>
  2787. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  2788. <p>The type5.lit service then opens a new stream over the encrypted connection.</p>
  2789. <example caption="Initial Stream Header"><![CDATA[
  2790. <stream:stream
  2791. xmlns='jabber:server'
  2792. xmlns:db='jabber:server:dialback'
  2793. xmlns:stream='http://etherx.jabber.lit/streams'
  2794. from='type5.lit'
  2795. to='type3.lit'
  2796. version='1.0'>
  2797. ]]></example>
  2798. <p>Next the type3.lit service sends a response stream header to type5.lit.</p>
  2799. <example caption="Response Stream Header"><![CDATA[
  2800. <stream:stream
  2801. xmlns='jabber:server'
  2802. xmlns:db='jabber:server:dialback'
  2803. xmlns:stream='http://etherx.jabber.lit/streams'
  2804. from='type3.lit'
  2805. id='idt5_t3o2'
  2806. to='type5.lit'>
  2807. ]]></example>
  2808. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features.</p>
  2809. <example caption="Stream Features"><![CDATA[
  2810. <stream:features>
  2811. <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  2812. <mechanism>EXTERNAL</mechanism>
  2813. <required/>
  2814. </mechanisms>
  2815. </stream:features>
  2816. ]]></example>
  2817. <p>Notice that type3.lit requires use of SASL EXTERNAL here (because the certificate presented by type5.lit was issued by a common root CA). Therefore type5.lit attempts to complete SASL negotiation.</p>
  2818. <example caption="SASL Mechanism Selection"><![CDATA[
  2819. <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
  2820. mechanism='EXTERNAL'/>dHlwZTMubGl0</auth>
  2821. ]]></example>
  2822. <p>The type3.lit service determines that the authorization identity provided by type5.lit matches the information in the presented certificate and therefore returns success.</p>
  2823. <example caption="SASL Success"><![CDATA[
  2824. <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
  2825. ]]></example>
  2826. <p>The type5.lit service then opens a new stream over the encrypted connection.</p>
  2827. <example caption="Initial Stream Header"><![CDATA[
  2828. <stream:stream
  2829. xmlns='jabber:server'
  2830. xmlns:db='jabber:server:dialback'
  2831. xmlns:stream='http://etherx.jabber.lit/streams'
  2832. from='type5.lit'
  2833. to='type3.lit'
  2834. version='1.0'>
  2835. ]]></example>
  2836. <p>Next the type3.lit service sends a response stream header to type5.lit.</p>
  2837. <example caption="Response Stream Header"><![CDATA[
  2838. <stream:stream
  2839. xmlns='jabber:server'
  2840. xmlns:db='jabber:server:dialback'
  2841. xmlns:stream='http://etherx.jabber.lit/streams'
  2842. from='type3.lit'
  2843. id='idt5_t3o3'
  2844. to='type5.lit'>
  2845. ]]></example>
  2846. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features (which in this case are empty).</p>
  2847. <example caption="Stream Features"><![CDATA[
  2848. <stream:features/>
  2849. ]]></example>
  2850. <p>Because the connection is successful, the type5.lit service routes the XML stanza from bill@type5.lit to the type3.lit service.</p>
  2851. </section2>
  2852. <section2 topic='Type 5 to Type 4' anchor='type5-type4'>
  2853. <p>In this scenario, an XMPP user bill@type5.lit attempts to send an XML stanza to hamlet@type4.lit:</p>
  2854. <example caption="Test Stanza"><![CDATA[
  2855. <iq from='bill@type4.lit/foo'
  2856. id='t5_t4'
  2857. to='hamlet@type4.lit'
  2858. type='get'>
  2859. <ping xmlns='urn:xmpp:ping'/>
  2860. </iq>
  2861. ]]></example>
  2862. <p>Therefore the type5.lit service (which requires encrypted connections and has a self-signed certificate) attempts to initiate a server-to-server connection with the type4.lit service (which also requires encrypted connections and has a self-signed certificate).</p>
  2863. <p>First, the type5.lit service sends an initial stream header to type4.lit.</p>
  2864. <example caption="Initial Stream Header"><![CDATA[
  2865. <stream:stream
  2866. xmlns='jabber:server'
  2867. xmlns:db='jabber:server:dialback'
  2868. xmlns:stream='http://etherx.jabber.lit/streams'
  2869. from='type5.lit'
  2870. to='type4.lit'
  2871. version='1.0'>
  2872. ]]></example>
  2873. <p>Next the type4.lit service sends a response stream header to type5.lit.</p>
  2874. <example caption="Response Stream Header"><![CDATA[
  2875. <stream:stream
  2876. xmlns='jabber:server'
  2877. xmlns:db='jabber:server:dialback'
  2878. xmlns:stream='http://etherx.jabber.lit/streams'
  2879. from='type4.lit'
  2880. id='idt5_t4o'
  2881. to='type5.lit'>
  2882. ]]></example>
  2883. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  2884. <example caption="Stream Features"><![CDATA[
  2885. <stream:features>
  2886. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2887. <dialback xmlns='urn:xmpp:features:dialback'/>
  2888. </stream:features>
  2889. ]]></example>
  2890. <p>Because the type5.lit service requires encryption, it attempts STARTTLS negotiation.</p>
  2891. <example caption="STARTTLS Request"><![CDATA[
  2892. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2893. ]]></example>
  2894. <example caption="STARTTLS Response"><![CDATA[
  2895. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  2896. ]]></example>
  2897. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  2898. <p>The type5.lit service then opens a new stream over the encrypted connection.</p>
  2899. <example caption="Initial Stream Header"><![CDATA[
  2900. <stream:stream
  2901. xmlns='jabber:server'
  2902. xmlns:db='jabber:server:dialback'
  2903. xmlns:stream='http://etherx.jabber.lit/streams'
  2904. from='type5.lit'
  2905. to='type4.lit'
  2906. version='1.0'>
  2907. ]]></example>
  2908. <p>Next the type4.lit service sends a response stream header to type5.lit.</p>
  2909. <example caption="Response Stream Header"><![CDATA[
  2910. <stream:stream
  2911. xmlns='jabber:server'
  2912. xmlns:db='jabber:server:dialback'
  2913. xmlns:stream='http://etherx.jabber.lit/streams'
  2914. from='type4.lit'
  2915. id='idt5_t4o2'
  2916. to='type5.lit'>
  2917. ]]></example>
  2918. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features.</p>
  2919. <example caption="Stream Features"><![CDATA[
  2920. <stream:features>
  2921. <dialback xmlns='urn:xmpp:features:dialback'>
  2922. <required/>
  2923. </dialback>
  2924. </stream:features>
  2925. ]]></example>
  2926. <p>Notice that type4.lit requires dialback here (perhaps because of some local service policy). Therefore type5.lit sends a dialback key to type4.lit.</p>
  2927. <example caption="Dialback Key"><![CDATA[
  2928. <db:result
  2929. from='type5.lit'
  2930. to='type4.lit'>
  2931. some-long-dialback-key
  2932. </db:result>
  2933. ]]></example>
  2934. <p>The type4.lit service then performs a DNS lookup on the type5.lit domain, opens a TCP connection at the discovered IP address and port, and establishes a stream with the authoritative server for the type5.lit service.</p>
  2935. <example caption="Initial Stream Header"><![CDATA[
  2936. <stream:stream
  2937. xmlns='jabber:server'
  2938. xmlns:db='jabber:server:dialback'
  2939. xmlns:stream='http://etherx.jabber.lit/streams'
  2940. from='type4.lit'
  2941. to='type5.lit'>
  2942. ]]></example>
  2943. <p>The authoritative server for the type5.lit service then returns a response stream header.</p>
  2944. <example caption="Response Stream Header"><![CDATA[
  2945. <stream:stream
  2946. xmlns='jabber:server'
  2947. xmlns:db='jabber:server:dialback'
  2948. xmlns:stream='http://etherx.jabber.lit/streams'
  2949. from='type5.lit'
  2950. id='idt5_t4r'
  2951. to='type4.lit'
  2952. version='1.0'>
  2953. ]]></example>
  2954. <p>The type4.lit service then sends a dialback verification request to the authoritative server for the type5.lit domain.</p>
  2955. <example caption="Verification Request"><![CDATA[
  2956. <db:verify
  2957. from='type4.lit'
  2958. id='idt5_t4o'
  2959. to='type5.lit'>
  2960. some-long-dialback-key
  2961. </db:verify>
  2962. ]]></example>
  2963. <p>Here we assume that the authoritative server for the type5.lit domain notifies the type4.lit service that the key is valid.</p>
  2964. <example caption="Key is Valid"><![CDATA[
  2965. <db:verify
  2966. from='type5.lit'
  2967. id='idt5_t4o'
  2968. to='type4.lit'
  2969. type='valid'>
  2970. some-long-dialback-key
  2971. </db:verify>
  2972. ]]></example>
  2973. <p>The type4.lit service then returns a positive server dialback result to the originating server (i.e., type5.lit).</p>
  2974. <example caption="Server Dialback Result"><![CDATA[
  2975. <db:result
  2976. from='type4.lit'
  2977. to='type5.lit'
  2978. type='valid'>
  2979. some-long-dialback-key
  2980. </db:result>
  2981. ]]></example>
  2982. <p>Because the connection is successful, the type5.lit service routes the XML stanza from hamlet@type4.lit to the type4.lit service.</p>
  2983. </section2>
  2984. <section2 topic='Type 5 to Type 5' anchor='type5-type5'>
  2985. <p>In this scenario, an XMPP user bill@type5.lit attempts to send an XML stanza to user@example.lit:</p>
  2986. <example caption="Test Stanza"><![CDATA[
  2987. <iq from='bill@type5.lit/foo'
  2988. id='t5_t5'
  2989. to='user@example.lit'
  2990. type='get'>
  2991. <ping xmlns='urn:xmpp:ping'/>
  2992. </iq>
  2993. ]]></example>
  2994. <p>Therefore the type5.lit service (which requires encrypted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the example.lit service (which also requires encrypted connections and has a CA-issued certificate).</p>
  2995. <p>First, the type5.lit service sends an initial stream header to example.lit.</p>
  2996. <example caption="Initial Stream Header"><![CDATA[
  2997. <stream:stream
  2998. xmlns='jabber:server'
  2999. xmlns:db='jabber:server:dialback'
  3000. xmlns:stream='http://etherx.jabber.lit/streams'
  3001. from='type5.lit'
  3002. to='example.lit'
  3003. version='1.0'>
  3004. ]]></example>
  3005. <p>Next the example.lit service sends a response stream header to type5.lit.</p>
  3006. <example caption="Response Stream Header"><![CDATA[
  3007. <stream:stream
  3008. xmlns='jabber:server'
  3009. xmlns:db='jabber:server:dialback'
  3010. xmlns:stream='http://etherx.jabber.lit/streams'
  3011. from='example.lit'
  3012. id='idt5_t5o'
  3013. to='type5.lit'>
  3014. ]]></example>
  3015. <p>Because the example.lit service supports XMPP 1.0, it also sends stream features.</p>
  3016. <example caption="Stream Features"><![CDATA[
  3017. <stream:features>
  3018. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  3019. <required/>
  3020. </starttls>
  3021. <dialback xmlns='urn:xmpp:features:dialback'/>
  3022. </stream:features>
  3023. ]]></example>
  3024. <p>Because both example.lit requires encryption and type5.lit also requires encryption, type5.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  3025. <example caption="STARTTLS Request"><![CDATA[
  3026. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3027. ]]></example>
  3028. <example caption="STARTTLS Response"><![CDATA[
  3029. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3030. ]]></example>
  3031. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  3032. <p>The type5.lit service then opens a new stream over the encrypted connection.</p>
  3033. <example caption="Initial Stream Header"><![CDATA[
  3034. <stream:stream
  3035. xmlns='jabber:server'
  3036. xmlns:db='jabber:server:dialback'
  3037. xmlns:stream='http://etherx.jabber.lit/streams'
  3038. from='type5.lit'
  3039. to='example.lit'
  3040. version='1.0'>
  3041. ]]></example>
  3042. <p>Next the example.lit service sends a response stream header to type5.lit.</p>
  3043. <example caption="Response Stream Header"><![CDATA[
  3044. <stream:stream
  3045. xmlns='jabber:server'
  3046. xmlns:db='jabber:server:dialback'
  3047. xmlns:stream='http://etherx.jabber.lit/streams'
  3048. from='example.lit'
  3049. id='idt5_t5o2'
  3050. to='type5.lit'>
  3051. ]]></example>
  3052. <p>Because the example.lit service supports XMPP 1.0, it also sends stream features.</p>
  3053. <example caption="Stream Features"><![CDATA[
  3054. <stream:features>
  3055. <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  3056. <mechanism>EXTERNAL</mechanism>
  3057. <required/>
  3058. </mechanisms>
  3059. </stream:features>
  3060. ]]></example>
  3061. <p>Notice that example.lit requires use of SASL EXTERNAL here (because the certificate presented by type5.lit was issued by a common root CA). Therefore type5.lit attempts to complete SASL negotiation.</p>
  3062. <example caption="SASL Mechanism Selection"><![CDATA[
  3063. <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
  3064. mechanism='EXTERNAL'/>dHlwZTMubGl0</auth>
  3065. ]]></example>
  3066. <p>The example.lit service determines that the authorization identity provided by type5.lit matches the information in the presented certificate and therefore returns success.</p>
  3067. <example caption="SASL Success"><![CDATA[
  3068. <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
  3069. ]]></example>
  3070. <p>The type5.lit service then opens a new stream over the encrypted connection.</p>
  3071. <example caption="Initial Stream Header"><![CDATA[
  3072. <stream:stream
  3073. xmlns='jabber:server'
  3074. xmlns:db='jabber:server:dialback'
  3075. xmlns:stream='http://etherx.jabber.lit/streams'
  3076. from='type5.lit'
  3077. to='example.lit'
  3078. version='1.0'>
  3079. ]]></example>
  3080. <p>Next the example.lit service sends a response stream header to type5.lit.</p>
  3081. <example caption="Response Stream Header"><![CDATA[
  3082. <stream:stream
  3083. xmlns='jabber:server'
  3084. xmlns:db='jabber:server:dialback'
  3085. xmlns:stream='http://etherx.jabber.lit/streams'
  3086. from='example.lit'
  3087. id='idt5_t5o3'
  3088. to='type5.lit'>
  3089. ]]></example>
  3090. <p>Because the example.lit service supports XMPP 1.0, it also sends stream features (which in this case are empty).</p>
  3091. <example caption="Stream Features"><![CDATA[
  3092. <stream:features/>
  3093. ]]></example>
  3094. <p>Because the connection is successful, the type5.lit service routes the XML stanza from bill@type5.lit to the example.lit service.</p>
  3095. </section2>
  3096. <section2 topic='Type 5 to Type 6' anchor='type5-type6'>
  3097. <p>In this scenario, an XMPP user bill@type5.lit attempts to send an XML stanza to chris@type6.lit:</p>
  3098. <example caption="Test Stanza"><![CDATA[
  3099. <iq from='bill@type5.lit/foo'
  3100. id='t5_t6'
  3101. to='chris@type6.lit'
  3102. type='get'>
  3103. <ping xmlns='urn:xmpp:ping'/>
  3104. </iq>
  3105. ]]></example>
  3106. <p>Therefore the type5.lit service (which requires encrypted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type6.lit service (which requires trusted communications and has a CA-issued certificate).</p>
  3107. <p>First, the type5.lit service sends an initial stream header to type6.lit.</p>
  3108. <example caption="Initial Stream Header"><![CDATA[
  3109. <stream:stream
  3110. xmlns='jabber:server'
  3111. xmlns:db='jabber:server:dialback'
  3112. xmlns:stream='http://etherx.jabber.lit/streams'
  3113. from='type5.lit'
  3114. to='type6.lit'
  3115. version='1.0'>
  3116. ]]></example>
  3117. <p>Next the type6.lit service sends a response stream header to type5.lit.</p>
  3118. <example caption="Response Stream Header"><![CDATA[
  3119. <stream:stream
  3120. xmlns='jabber:server'
  3121. xmlns:db='jabber:server:dialback'
  3122. xmlns:stream='http://etherx.jabber.lit/streams'
  3123. from='type6.lit'
  3124. id='idt5_t6o'
  3125. to='type5.lit'>
  3126. ]]></example>
  3127. <p>Because the type6.lit service supports XMPP 1.0, it also sends stream features.</p>
  3128. <example caption="Stream Features"><![CDATA[
  3129. <stream:features>
  3130. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  3131. <required/>
  3132. </starttls>
  3133. <dialback xmlns='urn:xmpp:features:dialback'/>
  3134. </stream:features>
  3135. ]]></example>
  3136. <p>Because type6.lit requires encryption, type5.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  3137. <example caption="STARTTLS Request"><![CDATA[
  3138. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3139. ]]></example>
  3140. <example caption="STARTTLS Response"><![CDATA[
  3141. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3142. ]]></example>
  3143. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  3144. <p>The type5.lit service then opens a new stream over the encrypted connection.</p>
  3145. <example caption="Initial Stream Header"><![CDATA[
  3146. <stream:stream
  3147. xmlns='jabber:server'
  3148. xmlns:db='jabber:server:dialback'
  3149. xmlns:stream='http://etherx.jabber.lit/streams'
  3150. from='type5.lit'
  3151. to='type6.lit'
  3152. version='1.0'>
  3153. ]]></example>
  3154. <p>Next the type6.lit service sends a response stream header to type5.lit.</p>
  3155. <example caption="Response Stream Header"><![CDATA[
  3156. <stream:stream
  3157. xmlns='jabber:server'
  3158. xmlns:db='jabber:server:dialback'
  3159. xmlns:stream='http://etherx.jabber.lit/streams'
  3160. from='type6.lit'
  3161. id='idt5_t6o2'
  3162. to='type5.lit'>
  3163. ]]></example>
  3164. <p>Because the type6.lit service supports XMPP 1.0, it also sends stream features.</p>
  3165. <example caption="Stream Features"><![CDATA[
  3166. <stream:features>
  3167. <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  3168. <mechanism>EXTERNAL</mechanism>
  3169. <required/>
  3170. </mechanisms>
  3171. </stream:features>
  3172. ]]></example>
  3173. <p>Notice that type6.lit requires use of SASL EXTERNAL here (because the certificate presented by type5.lit was issued by a common root CA). Therefore type5.lit attempts to complete SASL negotiation.</p>
  3174. <example caption="SASL Mechanism Selection"><![CDATA[
  3175. <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
  3176. mechanism='EXTERNAL'/>dHlwZTMubGl0</auth>
  3177. ]]></example>
  3178. <p>The type6.lit service determines that the authorization identity provided by type5.lit matches the information in the presented certificate and therefore returns success.</p>
  3179. <example caption="SASL Success"><![CDATA[
  3180. <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
  3181. ]]></example>
  3182. <p>The type5.lit service then opens a new stream over the encrypted connection.</p>
  3183. <example caption="Initial Stream Header"><![CDATA[
  3184. <stream:stream
  3185. xmlns='jabber:server'
  3186. xmlns:db='jabber:server:dialback'
  3187. xmlns:stream='http://etherx.jabber.lit/streams'
  3188. from='type5.lit'
  3189. to='type6.lit'
  3190. version='1.0'>
  3191. ]]></example>
  3192. <p>Next the type6.lit service sends a response stream header to type5.lit.</p>
  3193. <example caption="Response Stream Header"><![CDATA[
  3194. <stream:stream
  3195. xmlns='jabber:server'
  3196. xmlns:db='jabber:server:dialback'
  3197. xmlns:stream='http://etherx.jabber.lit/streams'
  3198. from='type6.lit'
  3199. id='idt5_t6o3'
  3200. to='type5.lit'>
  3201. ]]></example>
  3202. <p>Because the type6.lit service supports XMPP 1.0, it also sends stream features (which in this case are empty).</p>
  3203. <example caption="Stream Features"><![CDATA[
  3204. <stream:features/>
  3205. ]]></example>
  3206. <p>Because the connection is successful, the type5.lit service routes the XML stanza from bill@type5.lit to the type6.lit service.</p>
  3207. </section2>
  3208. </section1>
  3209. <section1 topic='Connections from Type 6 Services' anchor='type6'>
  3210. <section2 topic='Type 6 to Type 1' anchor='type6-type1'>
  3211. <p>In this scenario, an XMPP user chris@type6.lit attempts to send an XML stanza to citizen@type1.lit:</p>
  3212. <example caption="Test Stanza"><![CDATA[
  3213. <iq from='chris@type6.lit/foo'
  3214. id='t6_t1'
  3215. to='citizen@type1.lit'
  3216. type='get'>
  3217. <ping xmlns='urn:xmpp:ping'/>
  3218. </iq>
  3219. ]]></example>
  3220. <p>Therefore the type6.lit service (which requires trusted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type1.lit service (which supports verified connections only and does not have a certificate).</p>
  3221. <p>First, the type6.lit service sends an initial stream header to type1.lit.</p>
  3222. <example caption="Initial Stream Header"><![CDATA[
  3223. <stream:stream
  3224. xmlns='jabber:server'
  3225. xmlns:db='jabber:server:dialback'
  3226. xmlns:stream='http://etherx.jabber.lit/streams'
  3227. from='type6.lit'
  3228. to='type1.lit'
  3229. version='1.0'>
  3230. ]]></example>
  3231. <p>Next the type1.lit service sends a response stream header to type6.lit.</p>
  3232. <example caption="Response Stream Header"><![CDATA[
  3233. <stream:stream
  3234. xmlns='jabber:server'
  3235. xmlns:db='jabber:server:dialback'
  3236. xmlns:stream='http://etherx.jabber.lit/streams'
  3237. from='type1.lit'
  3238. id='idt6_t1o'
  3239. to='type6.lit'>
  3240. ]]></example>
  3241. <p>Because the type1.lit service does not support XMPP 1.0, it does not send stream features. Because the type6.lit service requires encryption via TLS, it cannot proceed further with the stream negotiation and closes the stream.</p>
  3242. <example caption="Stream Close"><![CDATA[
  3243. </stream:stream>
  3244. ]]></example>
  3245. <p>The type1.lit service closes the stream as well.</p>
  3246. <example caption="Stream Close"><![CDATA[
  3247. </stream:stream>
  3248. ]]></example>
  3249. <p>Because the connection is unsuccessful, the type6.lit service returns a stanza error to chris@type6.lit, which should be &timeout;.</p>
  3250. <example caption="Error Stanza"><![CDATA[
  3251. <iq from='citizen@type1.lit'
  3252. id='t6_t1'
  3253. to='bill@type5.lit/foo'
  3254. type='error'>
  3255. <error type='cancel'>
  3256. <remote-server-timeout
  3257. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  3258. </error>
  3259. </iq>
  3260. ]]></example>
  3261. </section2>
  3262. <section2 topic='Type 6 to Type 2' anchor='type6-type2'>
  3263. <p>In this scenario, an XMPP user chris@type6.lit attempts to send an XML stanza to juliet@type2.lit:</p>
  3264. <example caption="Test Stanza"><![CDATA[
  3265. <iq from='chris@type6.lit/foo'
  3266. id='t6_t2'
  3267. to='juliet@type2.lit'
  3268. type='get'>
  3269. <ping xmlns='urn:xmpp:ping'/>
  3270. </iq>
  3271. ]]></example>
  3272. <p>Therefore the type6.lit service (which requires encrypted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type2.lit service (which supports verified connections and has a self-signed certificate).</p>
  3273. <p>First, the type6.lit service sends an initial stream header to type2.lit.</p>
  3274. <example caption="Initial Stream Header"><![CDATA[
  3275. <stream:stream
  3276. xmlns='jabber:server'
  3277. xmlns:db='jabber:server:dialback'
  3278. xmlns:stream='http://etherx.jabber.lit/streams'
  3279. from='type6.lit'
  3280. to='type2.lit'
  3281. version='1.0'>
  3282. ]]></example>
  3283. <p>Next the type2.lit service sends a response stream header to type6.lit.</p>
  3284. <example caption="Response Stream Header"><![CDATA[
  3285. <stream:stream
  3286. xmlns='jabber:server'
  3287. xmlns:db='jabber:server:dialback'
  3288. xmlns:stream='http://etherx.jabber.lit/streams'
  3289. from='type2.lit'
  3290. id='idt6_t2o'
  3291. to='type6.lit'>
  3292. ]]></example>
  3293. <p>Because the type2.lit service supports XMPP 1.0, it also sends stream features.</p>
  3294. <example caption="Stream Features"><![CDATA[
  3295. <stream:features>
  3296. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3297. <dialback xmlns='urn:xmpp:features:dialback'/>
  3298. </stream:features>
  3299. ]]></example>
  3300. <p>Because the type6.lit service requires encryption, it attempts STARTTLS negotiation.</p>
  3301. <example caption="STARTTLS Request"><![CDATA[
  3302. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3303. ]]></example>
  3304. <example caption="STARTTLS Response"><![CDATA[
  3305. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3306. ]]></example>
  3307. <p>The servers then attempt negotiate TLS. We assume the negotiation fails because type2.lit presents a self-signed certificate but type6.lit requires trusted federation relying on a common root CA.</p>
  3308. <p>Because the connection is unsuccessful, the type6.lit service returns a stanza error to chris@type6.lit, which should be &timeout;.</p>
  3309. <example caption="Error Stanza"><![CDATA[
  3310. <iq from='juliet@type2.lit'
  3311. id='t4_t6'
  3312. to='chris@type6.lit/foo'
  3313. type='error'>
  3314. <error type='cancel'>
  3315. <remote-server-timeout
  3316. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  3317. </error>
  3318. </iq>
  3319. ]]></example>
  3320. </section2>
  3321. <section2 topic='Type 6 to Type 3' anchor='type6-type3'>
  3322. <p>In this scenario, an XMPP user chris@type6.lit attempts to send an XML stanza to romeo@type3.lit:</p>
  3323. <example caption="Test Stanza"><![CDATA[
  3324. <iq from='chris@type6.lit/foo'
  3325. id='t6_t3'
  3326. to='romeo@type3.lit'
  3327. type='get'>
  3328. <ping xmlns='urn:xmpp:ping'/>
  3329. </iq>
  3330. ]]></example>
  3331. <p>Therefore the type6.lit service (which requires trusted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type3.lit service (which accepts verified connections and has a CA-issued certificate).</p>
  3332. <p>First, the type6.lit service sends an initial stream header to type3.lit.</p>
  3333. <example caption="Initial Stream Header"><![CDATA[
  3334. <stream:stream
  3335. xmlns='jabber:server'
  3336. xmlns:db='jabber:server:dialback'
  3337. xmlns:stream='http://etherx.jabber.lit/streams'
  3338. from='type6.lit'
  3339. to='type3.lit'
  3340. version='1.0'>
  3341. ]]></example>
  3342. <p>Next the type3.lit service sends a response stream header to type6.lit.</p>
  3343. <example caption="Response Stream Header"><![CDATA[
  3344. <stream:stream
  3345. xmlns='jabber:server'
  3346. xmlns:db='jabber:server:dialback'
  3347. xmlns:stream='http://etherx.jabber.lit/streams'
  3348. from='type3.lit'
  3349. id='idt6_t3o'
  3350. to='type6.lit'>
  3351. ]]></example>
  3352. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features.</p>
  3353. <example caption="Stream Features"><![CDATA[
  3354. <stream:features>
  3355. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3356. <dialback xmlns='urn:xmpp:features:dialback'/>
  3357. </stream:features>
  3358. ]]></example>
  3359. <p>Because type3.lit advertises encryption and type6.lit requires encryption, type6.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  3360. <example caption="STARTTLS Request"><![CDATA[
  3361. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3362. ]]></example>
  3363. <example caption="STARTTLS Response"><![CDATA[
  3364. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3365. ]]></example>
  3366. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  3367. <p>The type6.lit service then opens a new stream over the encrypted connection.</p>
  3368. <example caption="Initial Stream Header"><![CDATA[
  3369. <stream:stream
  3370. xmlns='jabber:server'
  3371. xmlns:db='jabber:server:dialback'
  3372. xmlns:stream='http://etherx.jabber.lit/streams'
  3373. from='type6.lit'
  3374. to='type3.lit'
  3375. version='1.0'>
  3376. ]]></example>
  3377. <p>Next the type3.lit service sends a response stream header to type6.lit.</p>
  3378. <example caption="Response Stream Header"><![CDATA[
  3379. <stream:stream
  3380. xmlns='jabber:server'
  3381. xmlns:db='jabber:server:dialback'
  3382. xmlns:stream='http://etherx.jabber.lit/streams'
  3383. from='type3.lit'
  3384. id='idt6_t3o2'
  3385. to='type6.lit'>
  3386. ]]></example>
  3387. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features.</p>
  3388. <example caption="Stream Features"><![CDATA[
  3389. <stream:features>
  3390. <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  3391. <mechanism>EXTERNAL</mechanism>
  3392. <required/>
  3393. </mechanisms>
  3394. </stream:features>
  3395. ]]></example>
  3396. <p>Notice that type3.lit requires use of SASL EXTERNAL here (because the certificate presented by type6.lit was issued by a common root CA). Therefore type6.lit attempts to complete SASL negotiation.</p>
  3397. <example caption="SASL Mechanism Selection"><![CDATA[
  3398. <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
  3399. mechanism='EXTERNAL'/>dHlwZTMubGl0</auth>
  3400. ]]></example>
  3401. <p>The type3.lit service determines that the authorization identity provided by type6.lit matches the information in the presented certificate and therefore returns success.</p>
  3402. <example caption="SASL Success"><![CDATA[
  3403. <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
  3404. ]]></example>
  3405. <p>The type6.lit service then opens a new stream over the encrypted connection.</p>
  3406. <example caption="Initial Stream Header"><![CDATA[
  3407. <stream:stream
  3408. xmlns='jabber:server'
  3409. xmlns:db='jabber:server:dialback'
  3410. xmlns:stream='http://etherx.jabber.lit/streams'
  3411. from='type6.lit'
  3412. to='type3.lit'
  3413. version='1.0'>
  3414. ]]></example>
  3415. <p>Next the type3.lit service sends a response stream header to type6.lit.</p>
  3416. <example caption="Response Stream Header"><![CDATA[
  3417. <stream:stream
  3418. xmlns='jabber:server'
  3419. xmlns:db='jabber:server:dialback'
  3420. xmlns:stream='http://etherx.jabber.lit/streams'
  3421. from='type3.lit'
  3422. id='idt6_t3o3'
  3423. to='type6.lit'>
  3424. ]]></example>
  3425. <p>Because the type3.lit service supports XMPP 1.0, it also sends stream features (which in this case are empty).</p>
  3426. <example caption="Stream Features"><![CDATA[
  3427. <stream:features/>
  3428. ]]></example>
  3429. <p>Because the connection is successful, the type6.lit service routes the XML stanza from chris@type6.lit to the type3.lit service.</p>
  3430. </section2>
  3431. <section2 topic='Type 6 to Type 4' anchor='type6-type4'>
  3432. <p>In this scenario, an XMPP user chris@type6.lit attempts to send an XML stanza to hamlet@type4.lit:</p>
  3433. <example caption="Test Stanza"><![CDATA[
  3434. <iq from='chris@type6.lit/foo'
  3435. id='t6_t4'
  3436. to='hamlet@type4.lit'
  3437. type='get'>
  3438. <ping xmlns='urn:xmpp:ping'/>
  3439. </iq>
  3440. ]]></example>
  3441. <p>Therefore the type6.lit service (which requires encrypted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type4.lit service (which supports verified connections and has a self-signed certificate).</p>
  3442. <p>First, the type6.lit service sends an initial stream header to type4.lit.</p>
  3443. <example caption="Initial Stream Header"><![CDATA[
  3444. <stream:stream
  3445. xmlns='jabber:server'
  3446. xmlns:db='jabber:server:dialback'
  3447. xmlns:stream='http://etherx.jabber.lit/streams'
  3448. from='type6.lit'
  3449. to='type4.lit'
  3450. version='1.0'>
  3451. ]]></example>
  3452. <p>Next the type4.lit service sends a response stream header to type6.lit.</p>
  3453. <example caption="Response Stream Header"><![CDATA[
  3454. <stream:stream
  3455. xmlns='jabber:server'
  3456. xmlns:db='jabber:server:dialback'
  3457. xmlns:stream='http://etherx.jabber.lit/streams'
  3458. from='type4.lit'
  3459. id='idt6_t4o'
  3460. to='type6.lit'>
  3461. ]]></example>
  3462. <p>Because the type4.lit service supports XMPP 1.0, it also sends stream features.</p>
  3463. <example caption="Stream Features"><![CDATA[
  3464. <stream:features>
  3465. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3466. <dialback xmlns='urn:xmpp:features:dialback'/>
  3467. </stream:features>
  3468. ]]></example>
  3469. <p>Because the type6.lit service requires encryption, it attempts STARTTLS negotiation.</p>
  3470. <example caption="STARTTLS Request"><![CDATA[
  3471. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3472. ]]></example>
  3473. <example caption="STARTTLS Response"><![CDATA[
  3474. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3475. ]]></example>
  3476. <p>The servers then attempt negotiate TLS. We assume the negotiation fails because type4.lit presents a self-signed certificate but type6.lit requires trusted federation relying on a common root CA.</p>
  3477. <p>Because the connection is unsuccessful, the type6.lit service returns a stanza error to chris@type6.lit, which should be &timeout;.</p>
  3478. <example caption="Error Stanza"><![CDATA[
  3479. <iq from='juliet@type4.lit'
  3480. id='t6_t4'
  3481. to='chris@type6.lit/foo'
  3482. type='error'>
  3483. <error type='cancel'>
  3484. <remote-server-timeout
  3485. xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  3486. </error>
  3487. </iq>
  3488. ]]></example>
  3489. </section2>
  3490. <section2 topic='Type 6 to Type 5' anchor='type6-type5'>
  3491. <p>In this scenario, an XMPP user chris@type6.lit attempts to send an XML stanza to bill@type5.lit:</p>
  3492. <example caption="Test Stanza"><![CDATA[
  3493. <iq from='chris@type6.lit/foo'
  3494. id='t6_t5'
  3495. to='bill@type5.lit'
  3496. type='get'>
  3497. <ping xmlns='urn:xmpp:ping'/>
  3498. </iq>
  3499. ]]></example>
  3500. <p>Therefore the type6.lit service (which requires trusted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the type5.lit service (which requires encrypted connections and has a CA-issued certificate).</p>
  3501. <p>First, the type6.lit service sends an initial stream header to type5.lit.</p>
  3502. <example caption="Initial Stream Header"><![CDATA[
  3503. <stream:stream
  3504. xmlns='jabber:server'
  3505. xmlns:db='jabber:server:dialback'
  3506. xmlns:stream='http://etherx.jabber.lit/streams'
  3507. from='type6.lit'
  3508. to='type5.lit'
  3509. version='1.0'>
  3510. ]]></example>
  3511. <p>Next the type5.lit service sends a response stream header to type6.lit.</p>
  3512. <example caption="Response Stream Header"><![CDATA[
  3513. <stream:stream
  3514. xmlns='jabber:server'
  3515. xmlns:db='jabber:server:dialback'
  3516. xmlns:stream='http://etherx.jabber.lit/streams'
  3517. from='type5.lit'
  3518. id='idt6_t5o'
  3519. to='type6.lit'>
  3520. ]]></example>
  3521. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features.</p>
  3522. <example caption="Stream Features"><![CDATA[
  3523. <stream:features>
  3524. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3525. <dialback xmlns='urn:xmpp:features:dialback'/>
  3526. </stream:features>
  3527. ]]></example>
  3528. <p>Because type5.lit advertises encryption and type6.lit requires encryption, type6.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  3529. <example caption="STARTTLS Request"><![CDATA[
  3530. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3531. ]]></example>
  3532. <example caption="STARTTLS Response"><![CDATA[
  3533. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3534. ]]></example>
  3535. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  3536. <p>The type6.lit service then opens a new stream over the encrypted connection.</p>
  3537. <example caption="Initial Stream Header"><![CDATA[
  3538. <stream:stream
  3539. xmlns='jabber:server'
  3540. xmlns:db='jabber:server:dialback'
  3541. xmlns:stream='http://etherx.jabber.lit/streams'
  3542. from='type6.lit'
  3543. to='type5.lit'
  3544. version='1.0'>
  3545. ]]></example>
  3546. <p>Next the type5.lit service sends a response stream header to type6.lit.</p>
  3547. <example caption="Response Stream Header"><![CDATA[
  3548. <stream:stream
  3549. xmlns='jabber:server'
  3550. xmlns:db='jabber:server:dialback'
  3551. xmlns:stream='http://etherx.jabber.lit/streams'
  3552. from='type5.lit'
  3553. id='idt6_t5o2'
  3554. to='type6.lit'>
  3555. ]]></example>
  3556. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features.</p>
  3557. <example caption="Stream Features"><![CDATA[
  3558. <stream:features>
  3559. <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  3560. <mechanism>EXTERNAL</mechanism>
  3561. <required/>
  3562. </mechanisms>
  3563. </stream:features>
  3564. ]]></example>
  3565. <p>Notice that type5.lit requires use of SASL EXTERNAL here (because the certificate presented by type6.lit was issued by a common root CA). Therefore type6.lit attempts to complete SASL negotiation.</p>
  3566. <example caption="SASL Mechanism Selection"><![CDATA[
  3567. <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
  3568. mechanism='EXTERNAL'/>dHlwZTMubGl0</auth>
  3569. ]]></example>
  3570. <p>The type5.lit service determines that the authorization identity provided by type6.lit matches the information in the presented certificate and therefore returns success.</p>
  3571. <example caption="SASL Success"><![CDATA[
  3572. <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
  3573. ]]></example>
  3574. <p>The type6.lit service then opens a new stream over the encrypted connection.</p>
  3575. <example caption="Initial Stream Header"><![CDATA[
  3576. <stream:stream
  3577. xmlns='jabber:server'
  3578. xmlns:db='jabber:server:dialback'
  3579. xmlns:stream='http://etherx.jabber.lit/streams'
  3580. from='type6.lit'
  3581. to='type5.lit'
  3582. version='1.0'>
  3583. ]]></example>
  3584. <p>Next the type5.lit service sends a response stream header to type6.lit.</p>
  3585. <example caption="Response Stream Header"><![CDATA[
  3586. <stream:stream
  3587. xmlns='jabber:server'
  3588. xmlns:db='jabber:server:dialback'
  3589. xmlns:stream='http://etherx.jabber.lit/streams'
  3590. from='type5.lit'
  3591. id='idt6_t5o3'
  3592. to='type6.lit'>
  3593. ]]></example>
  3594. <p>Because the type5.lit service supports XMPP 1.0, it also sends stream features (which in this case are empty).</p>
  3595. <example caption="Stream Features"><![CDATA[
  3596. <stream:features/>
  3597. ]]></example>
  3598. <p>Because the connection is successful, the type6.lit service routes the XML stanza from chris@type6.lit to the type5.lit service.</p>
  3599. </section2>
  3600. <section2 topic='Type 6 to Type 6' anchor='type6-type6'>
  3601. <p>In this scenario, an XMPP user chris@type6.lit attempts to send an XML stanza to user@example.lit:</p>
  3602. <example caption="Test Stanza"><![CDATA[
  3603. <iq from='chris@type6.lit/foo'
  3604. id='t6_t6'
  3605. to='user@example.lit'
  3606. type='get'>
  3607. <ping xmlns='urn:xmpp:ping'/>
  3608. </iq>
  3609. ]]></example>
  3610. <p>Therefore the type6.lit service (which requires trusted connections and has a CA-issued certificate) attempts to initiate a server-to-server connection with the example.lit service (which requires encrypted connections and has a CA-issued certificate).</p>
  3611. <p>First, the type6.lit service sends an initial stream header to example.lit.</p>
  3612. <example caption="Initial Stream Header"><![CDATA[
  3613. <stream:stream
  3614. xmlns='jabber:server'
  3615. xmlns:db='jabber:server:dialback'
  3616. xmlns:stream='http://etherx.jabber.lit/streams'
  3617. from='type6.lit'
  3618. to='example.lit'
  3619. version='1.0'>
  3620. ]]></example>
  3621. <p>Next the example.lit service sends a response stream header to type6.lit.</p>
  3622. <example caption="Response Stream Header"><![CDATA[
  3623. <stream:stream
  3624. xmlns='jabber:server'
  3625. xmlns:db='jabber:server:dialback'
  3626. xmlns:stream='http://etherx.jabber.lit/streams'
  3627. from='example.lit'
  3628. id='idt6_t6o'
  3629. to='type6.lit'>
  3630. ]]></example>
  3631. <p>Because the example.lit service supports XMPP 1.0, it also sends stream features.</p>
  3632. <example caption="Stream Features"><![CDATA[
  3633. <stream:features>
  3634. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
  3635. <required/>
  3636. </starttls>
  3637. <dialback xmlns='urn:xmpp:features:dialback'/>
  3638. </stream:features>
  3639. ]]></example>
  3640. <p>Because example.lit advertises encryption and type6.lit requires encryption, type6.lit attempts to negotiate a STARTTLS upgrade to the stream.</p>
  3641. <example caption="STARTTLS Request"><![CDATA[
  3642. <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3643. ]]></example>
  3644. <example caption="STARTTLS Response"><![CDATA[
  3645. <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  3646. ]]></example>
  3647. <p>The servers then negotiate TLS. We assume the negotiation is successful.</p>
  3648. <p>The type6.lit service then opens a new stream over the encrypted connection.</p>
  3649. <example caption="Initial Stream Header"><![CDATA[
  3650. <stream:stream
  3651. xmlns='jabber:server'
  3652. xmlns:db='jabber:server:dialback'
  3653. xmlns:stream='http://etherx.jabber.lit/streams'
  3654. from='type6.lit'
  3655. to='example.lit'
  3656. version='1.0'>
  3657. ]]></example>
  3658. <p>Next the example.lit service sends a response stream header to type6.lit.</p>
  3659. <example caption="Response Stream Header"><![CDATA[
  3660. <stream:stream
  3661. xmlns='jabber:server'
  3662. xmlns:db='jabber:server:dialback'
  3663. xmlns:stream='http://etherx.jabber.lit/streams'
  3664. from='example.lit'
  3665. id='idt6_t6o2'
  3666. to='type6.lit'>
  3667. ]]></example>
  3668. <p>Because the example.lit service supports XMPP 1.0, it also sends stream features.</p>
  3669. <example caption="Stream Features"><![CDATA[
  3670. <stream:features>
  3671. <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  3672. <mechanism>EXTERNAL</mechanism>
  3673. <required/>
  3674. </mechanisms>
  3675. </stream:features>
  3676. ]]></example>
  3677. <p>Notice that example.lit requires use of SASL EXTERNAL here (because the certificate presented by type6.lit was issued by a common root CA). Therefore type6.lit attempts to complete SASL negotiation.</p>
  3678. <example caption="SASL Mechanism Selection"><![CDATA[
  3679. <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
  3680. mechanism='EXTERNAL'/>dHlwZTMubGl0</auth>
  3681. ]]></example>
  3682. <p>The example.lit service determines that the authorization identity provided by type6.lit matches the information in the presented certificate and therefore returns success.</p>
  3683. <example caption="SASL Success"><![CDATA[
  3684. <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
  3685. ]]></example>
  3686. <p>The type6.lit service then opens a new stream over the encrypted connection.</p>
  3687. <example caption="Initial Stream Header"><![CDATA[
  3688. <stream:stream
  3689. xmlns='jabber:server'
  3690. xmlns:db='jabber:server:dialback'
  3691. xmlns:stream='http://etherx.jabber.lit/streams'
  3692. from='type6.lit'
  3693. to='example.lit'
  3694. version='1.0'>
  3695. ]]></example>
  3696. <p>Next the example.lit service sends a response stream header to type6.lit.</p>
  3697. <example caption="Response Stream Header"><![CDATA[
  3698. <stream:stream
  3699. xmlns='jabber:server'
  3700. xmlns:db='jabber:server:dialback'
  3701. xmlns:stream='http://etherx.jabber.lit/streams'
  3702. from='example.lit'
  3703. id='idt6_t6o3'
  3704. to='type6.lit'>
  3705. ]]></example>
  3706. <p>Because the example.lit service supports XMPP 1.0, it also sends stream features (which in this case are empty).</p>
  3707. <example caption="Stream Features"><![CDATA[
  3708. <stream:features/>
  3709. ]]></example>
  3710. <p>Because the connection is successful, the type6.lit service routes the XML stanza from chris@type6.lit to the example.lit service.</p>
  3711. </section2>
  3712. </section1>
  3713. <section1 topic='Security Considerations' anchor='security'>
  3714. <p>As explained in <cite>RFC 3920</cite> and <cite>XEP-0220</cite>, Server Dialback does not provide authentication.</p>
  3715. <p>In the absence of out-of-band key exchange, acceptance of a self-signed certificate does not result in authentication of a peer and therefore should be followed by Server Dialback to weakly verify peer identity.</p>
  3716. <p>Acceptance of a certificate issued by a trusted root CA results in some level of authentication and therefore should be followed by SASL negotiation using the EXTERNAL mechanism.</p>
  3717. </section1>
  3718. <section1 topic='IANA Considerations' anchor='iana'>
  3719. <p>This document requires no interaction with &IANA;.</p>
  3720. </section1>
  3721. <section1 topic='XMPP Registrar Considerations' anchor='registrar'>
  3722. <p>This document requires no interaction with the &REGISTRAR;.</p>
  3723. </section1>
  3724. <section1 topic='Acknowledgements' anchor='ack'>
  3725. <p>Thanks to Philipp Hancke, Norman Rasmussen, and Tomasz Sterna for their feedback.</p>
  3726. </section1>
  3727. </xep>