DIGEST-MD5 authzid question

Dave Cridland dave at cridland.net
Fri Feb 2 12:06:46 EST 2007


On Fri Feb  2 16:48:59 2007, Remko Tronçon wrote:
> Does this mean that Cyrus compares the authorization id against the
> authentication id, and doesn't add it to the challenge if they are
> equal? If so, why is this done?

I would guess that it's to avoid the case where a server 
implementation always rejects any request for an authzid.

>  Because Section 5 of RFC2222bis says
> that "A protocol profile MUST specify the form of the authorization
> identity (since it is protocol specific, as opposed to the
> authentication identity, which is mechanism specific) and how
> authorization identities are to be compared.", so comparing
> authorization and authentication ids asounds illegal in the first
> place.

In practise, they're really only distinct namespaces in LDAP.

In XMPP and mail, the default authzid is basically the canonicalized 
authid, and the canonicaliztion process is pretty well a no-op.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Cyrus-sasl mailing list