IETF Logo Mail Archive

[xmpp] 3920bis: authentication identity

Peter Saint-Andre <stpeter@stpeter.im> Fri, 18 December 2009 23:49 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 572EB3A69C1 for <xmpp@core3.amsl.com>; Fri, 18 Dec 2009 15:49:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SpctpNrzNISa for <xmpp@core3.amsl.com>; Fri, 18 Dec 2009 15:49:26 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 0A42A3A69D9 for <xmpp@ietf.org>; Fri, 18 Dec 2009 15:49:26 -0800 (PST)
Received: from dhcp-64-101-72-234.cisco.com (dhcp-64-101-72-234.cisco.com [64.101.72.234]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 705D140332 for <xmpp@ietf.org>; Fri, 18 Dec 2009 16:49:10 -0700 (MST)
Message-ID: <4B2C14F5.2070408@stpeter.im>
Date: Fri, 18 Dec 2009 16:49:09 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: XMPP <xmpp@ietf.org>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms040504010106060503040800"
Subject: [xmpp] 3920bis: authentication identity
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 23:49:27 -0000

RFC 3920 does not specify whether the authentication identity in XMPP's
use of SASL is localpart or localpart@domain.tld. Someone reported to me
earlier today that this has been interpreted differently by different
XMPP software implementations. Both RFC 3920 and draft-ietf-xmpp-3920bis
have examples only of localpart, however it is not clearly specified in
the text -- and in the case of a server that provides virtual hosting
one could argue that the authentication identity should be the bare JID
localpart@domain.tld instead of just localpart. IMHO we need to clarify
this in draft-ietf-xmpp-3920bis.

The use of localpart instead of localpart@domain.tld seems to be
consistent with the following SASL mechanisms:

1. DIGEST-MD5 (RFC 2831), where the field "username" is described as
"the user's name in the specified realm".

2. CRAM-MD5 (draft-ietf-sasl-crammd5), which also specifies a "username"
field.

3. SCRAM (draft-ietf-sasl-scram), which states that field "n" is "the
name of the user whose password is used for authentication".

The use of localpart@domain.tld seems to be consistent with the
following SASL mechanism:

4. EXTERNAL (RFC 4422 and XEP-0178) given that id-on-xmppAddr in a
client certificate is supposed to be a bare JID.

By contrast, the SASL PLAIN mechanism (RFC 4616) is ambiguous, because
the field "authcid" is described as "free-form" and we never clarified
this in RFC 3920.

The core SASL spec (RFC 4422) states that authentication identities are
"mechanism specific" and also says:

   However, the precise form(s) of the authentication identities (used
   within the server in its verifications, or otherwise) and the precise
   form(s) of the authorization identities (used in making authorization
   decisions, or otherwise) are beyond the scope of SASL and this
   specification.  In some circumstances, the precise identity forms
   used in some context outside of the SASL exchange may be dictated by
   other specifications.  For instance, an identity assumption
   authorization (proxy authorization) policy specification may dictate
   how authentication and authorization identities are represented in
   policy statements.

Some would argue that the exact domain name could be encapsulated in the
"realm" but not all SASL mechanisms use "realm" (e.g., it is not part of
PLAIN or SCRAM), so we can't depend on that.

Another approach would be to take the domain from the 'to' address of
the initial stream header that the server receives from the client, but
that strikes me as a bit messy, especially in the case where the stream
header is sent over an unencrypted stream.

A third approach would be to say that the "username" in XMPP's use of
SASL is always a bare JID. I think I would prefer that because we can
make it consistent across all SASL mechanisms, but in practice many
clients are probably sending a localpart only because that's what the
examples show in RFC 3920 and draft-ietf-xmpp-3920bis.

Feedback is welcome.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email