On Fri Feb 2 16:48:59 2007, Remko Tronçon wrote:
Does this mean that Cyrus compares the authorization id against the
authentication id, and doesn't add it to the challenge if they are
equal? If so, why is this done?
I would guess that it's to avoid the case where a server
implementation always rejects any request for an authzid.
Because Section 5 of RFC2222bis says
that "A protocol profile MUST specify the form of the authorization
identity (since it is protocol specific, as opposed to the
authentication identity, which is mechanism specific) and how
authorization identities are to be compared.", so comparing
authorization and authentication ids asounds illegal in the first
place.
In practise, they're really only distinct namespaces in LDAP.
In XMPP and mail, the default authzid is basically the canonicalized
authid, and the canonicaliztion process is pretty well a no-op.
Dave.
--
Dave Cridland - mailto:dave@xxxxxxxxxxxx - xmpp:dwd@xxxxxxxxxx
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
