On Fri, May 13, 2011 at 5:10 AM, Dave Cridland <[email protected]> wrote:
> On Fri May 13 01:37:37 2011, Glenn Maynard wrote: > >> SASL mechanisms require the FQDN of the host being connected to[1]. With >> xbosh, you can't always tell what the FQDN of the real server is. >> > > I recall a lengthy discussion on this a while back, specifically with > DIGEST-MD5. > I havn't been able to find it. Any idea where it was? I think it can be summarized as: > > Always just use the service domain, and never the hostname, when > constructing the DIGEST URI. > By "service domain", you mean the domainpart of the JID? Is this for all XMPP authentication and not just xbosh? If that's what clients are expected to do, this should be specced, since implementors are guessing. (The implementation I'm looking at--smack--doesn't even handle this consistently internally.) I'm guessing that it's not that simple, though. For example, rfc6120 4.7.1 mentions that with GSSAPI, the client doesn't even know the JID before authentication. Also, DIGEST-MD5 is moving (has moved?) to historic. (Approved document > making it thus has not yet been published). > I think GSSAPI also has its own dependencies on the hostname of the server, and the parameter required by APIs like javax.security.sasl won't go away--this might always crop up in other mechanisms. -- Glenn Maynard
