So since during the summit, it was desired to have a breaking change to SASL2 (that’s rare, isn’t it?), I have two suggestions for things which could use fixing and which could trigger a namespace bump and one thing which should be mentioned independently:
1. xml:lang on <text/>: The error messages could use xml:lang support, like stanza and RFC 6120 sasl errors do (with multiple <text/> elements in different languages). 2. Is there a particular reason why the <tasks/> thing uses plain strings as its values instead of a mechanism like <stream:features/>, where namespaced elements with possible child elements / text are used? 3. We should mention in the security considerations that clients should be careful which requests they include in the initial <authenticate/> especially when no transport security is in use; if the SASL method allows mutual authentication (e.g. SCRAM), a client might find that they’re not actually connected to the server and have just sent possibly private data to them. Although somebody (I think it was Dave) noted: > This probably is the difference between an attacker stabbing you multiple > times with a knife, and stabbing you multiple times with a slightly rusty > knife. kind regards, Jonas
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
