Hello! While working on XEP-0178 and XEP-0257 support, I noticed XEP-0178 makes the distinction between 3 possible scenarios: the certificate contains one, more than one or zero xmppAddr fields. Depending on the scenario and the authzid the client wants to use the client must either include the authzid or use "=".
This is the only reason the client would need to understand the certificate for the user, which increases complexity for a client. The server still needs to parse the certificate as well, as it needs to validate what the client sends. I don't see any possible downside to the client always sending its desired authzid, except for maybe ~20 characters of extra data. The server can still do the same checking. I propose clients SHOULD send an authzid, except in case the certificate contains exactly one xmppAddr field, in which case they MAY omit the authzid and send "=". Aside from this, I think the following line from 10(c) is self-contradictory: "only if it desires to be authorized as a JID other than the address specified during SASL negotiation". This _is_ the SASL negotiation, unless I'm missing something this is where an authcid needs to be sent. I don't understand where the client would communicate its desired JID if it uses a certificate with zero xmppAddr fields and sends "=". Regards, Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
