[xmpp] 3920bis: authentication identity
Peter Saint-Andre <stpeter@stpeter.im> Fri, 18 December 2009 23:49 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 572EB3A69C1 for <xmpp@core3.amsl.com>; Fri, 18 Dec 2009 15:49:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SpctpNrzNISa for <xmpp@core3.amsl.com>; Fri, 18 Dec 2009 15:49:26 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 0A42A3A69D9 for <xmpp@ietf.org>; Fri, 18 Dec 2009 15:49:26 -0800 (PST)
Received: from dhcp-64-101-72-234.cisco.com (dhcp-64-101-72-234.cisco.com [64.101.72.234]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 705D140332 for <xmpp@ietf.org>; Fri, 18 Dec 2009 16:49:10 -0700 (MST)
Message-ID: <4B2C14F5.2070408@stpeter.im>
Date: Fri, 18 Dec 2009 16:49:09 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: XMPP <xmpp@ietf.org>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms040504010106060503040800"
Subject: [xmpp] 3920bis: authentication identity
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 23:49:27 -0000
RFC 3920 does not specify whether the authentication identity in XMPP's use of SASL is localpart or localpart@domain.tld. Someone reported to me earlier today that this has been interpreted differently by different XMPP software implementations. Both RFC 3920 and draft-ietf-xmpp-3920bis have examples only of localpart, however it is not clearly specified in the text -- and in the case of a server that provides virtual hosting one could argue that the authentication identity should be the bare JID localpart@domain.tld instead of just localpart. IMHO we need to clarify this in draft-ietf-xmpp-3920bis. The use of localpart instead of localpart@domain.tld seems to be consistent with the following SASL mechanisms: 1. DIGEST-MD5 (RFC 2831), where the field "username" is described as "the user's name in the specified realm". 2. CRAM-MD5 (draft-ietf-sasl-crammd5), which also specifies a "username" field. 3. SCRAM (draft-ietf-sasl-scram), which states that field "n" is "the name of the user whose password is used for authentication". The use of localpart@domain.tld seems to be consistent with the following SASL mechanism: 4. EXTERNAL (RFC 4422 and XEP-0178) given that id-on-xmppAddr in a client certificate is supposed to be a bare JID. By contrast, the SASL PLAIN mechanism (RFC 4616) is ambiguous, because the field "authcid" is described as "free-form" and we never clarified this in RFC 3920. The core SASL spec (RFC 4422) states that authentication identities are "mechanism specific" and also says: However, the precise form(s) of the authentication identities (used within the server in its verifications, or otherwise) and the precise form(s) of the authorization identities (used in making authorization decisions, or otherwise) are beyond the scope of SASL and this specification. In some circumstances, the precise identity forms used in some context outside of the SASL exchange may be dictated by other specifications. For instance, an identity assumption authorization (proxy authorization) policy specification may dictate how authentication and authorization identities are represented in policy statements. Some would argue that the exact domain name could be encapsulated in the "realm" but not all SASL mechanisms use "realm" (e.g., it is not part of PLAIN or SCRAM), so we can't depend on that. Another approach would be to take the domain from the 'to' address of the initial stream header that the server receives from the client, but that strikes me as a bit messy, especially in the case where the stream header is sent over an unencrypted stream. A third approach would be to say that the "username" in XMPP's use of SASL is always a bare JID. I think I would prefer that because we can make it consistent across all SASL mechanisms, but in practice many clients are probably sending a localpart only because that's what the examples show in RFC 3920 and draft-ietf-xmpp-3920bis. Feedback is welcome. Peter -- Peter Saint-Andre https://stpeter.im/
- [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Tobias Markmann
- Re: [xmpp] 3920bis: authentication identity Justin Karneges
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Alexey Melnikov
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Jehan Pagès
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Jehan Pagès
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Jehan Pagès
- Re: [xmpp] 3920bis: authentication identity Paul Aurich
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Jehan Pagès
- Re: [xmpp] 3920bis: authentication identity Justin Karneges
- Re: [xmpp] 3920bis: authentication identity Kevin Smith
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Kurt Zeilenga
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Kevin Smith
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Kevin Smith
- Re: [xmpp] 3920bis: authentication identity Kevin Smith
- Re: [xmpp] 3920bis: authentication identity Jehan Pagès
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Jehan Pagès
- Re: [xmpp] 3920bis: authentication identity Paul Aurich
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- Re: [xmpp] 3920bis: authentication identity Peter Saint-Andre
- [xmpp] Fwd: 3920bis: authentication identity Jehan Pagès
- Re: [xmpp] Fwd: 3920bis: authentication identity Peter Saint-Andre