draft-ietf-kitten-sasl-saml-00.txt   draft-ietf-kitten-sasl-saml-01.txt 
Network Working Group K. Wierenga Network Working Group K. Wierenga
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track E. Lear Intended status: Standards Track E. Lear
Expires: March 28, 2011 Cisco Systems GmbH Expires: April 25, 2011 Cisco Systems GmbH
S. Josefsson S. Josefsson
SJD AB SJD AB
September 24, 2010 October 22, 2010
A SASL and GSS-API Mechanism for SAML A SASL and GSS-API Mechanism for SAML
draft-ietf-kitten-sasl-saml-00.txt draft-ietf-kitten-sasl-saml-01.txt
Abstract Abstract
Security Assertion Markup Language (SAML) has found its usage on the Security Assertion Markup Language (SAML) has found its usage on the
Internet for Web Single Sign-On. Simple Authentication and Security Internet for Web Single Sign-On. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to generalize Interface (GSS-API) are application frameworks to generalize
authentication. This memo specifies a SASL mechanism and a GSS-API authentication. This memo specifies a SASL mechanism and a GSS-API
mechanism for SAML 2.0 that allows the integration of existing SAML mechanism for SAML 2.0 that allows the integration of existing SAML
Identity Providers with applications using SASL and GSS-API. Identity Providers with applications using SASL and GSS-API.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 28, 2011. This Internet-Draft will expire on April 25, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Applicability for non-HTTP Use Cases . . . . . . . . . . . . . 6 3. Applicability for non-HTTP Use Cases . . . . . . . . . . . . . 6
4. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 9 4. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 9
4.1. Advertisement . . . . . . . . . . . . . . . . . . . . . . 9 4.1. Advertisement . . . . . . . . . . . . . . . . . . . . . . 9
4.2. Initiation . . . . . . . . . . . . . . . . . . . . . . . . 9 4.2. Initiation . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3. Server Redirect . . . . . . . . . . . . . . . . . . . . . 9 4.3. Server Redirect . . . . . . . . . . . . . . . . . . . . . 9
4.4. Client Empty Response and other . . . . . . . . . . . . . 9 4.4. Client Empty Response and other . . . . . . . . . . . . . 10
4.5. Outcome and parameters . . . . . . . . . . . . . . . . . . 9 4.5. Outcome and parameters . . . . . . . . . . . . . . . . . . 10
5. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 10 5. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 11
5.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 10 5.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 11
6. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 11 6. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 12
7. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 7.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Binding SAML subject identifiers to Authorization 7.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Identities . . . . . . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 20
8.2. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 17 8.1. Man in the middle and Tunneling Attacks . . . . . . . . . 20
8.3. Collusion between RPs . . . . . . . . . . . . . . . . . . 17 8.2. Binding SAML subject identifiers to Authorization
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 Identities . . . . . . . . . . . . . . . . . . . . . . . . 20
10. Normative References . . . . . . . . . . . . . . . . . . . . . 19 8.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 20
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 20 8.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 20
Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 21 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
10.1. Normative References . . . . . . . . . . . . . . . . . . . 22
10.2. Informative References . . . . . . . . . . . . . . . . . . 23
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 24
Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
Security Assertion Markup Language (SAML) 2.0 Security Assertion Markup Language (SAML) 2.0
[OASIS.saml-core-2.0-os] is a modular specification that provides [OASIS.saml-core-2.0-os] is a modular specification that provides
various means for a user to be identified to a relying party (RP) various means for a user to be identified to a relying party (RP)
through the exchange of (typically signed) assertions issued by an through the exchange of (typically signed) assertions issued by an
identity provider (IdP). It includes a number of protocols, protocol identity provider (IdP). It includes a number of protocols, protocol
bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles
[OASIS.saml-profiles-2.0-os] designed for different use cases. [OASIS.saml-profiles-2.0-os] designed for different use cases.
Simple Authentication and Security Layer (SASL) [RFC4422] is a Simple Authentication and Security Layer (SASL) [RFC4422] is a
generalized mechanism for identifying and authenticating a user and generalized mechanism for identifying and authenticating a user and
for optionally negotiating a security layer for subsequent protocol for optionally negotiating a security layer for subsequent protocol
interactions. SASL is used by application protocols like IMAP, POP interactions. SASL is used by application protocols like IMAP
and XMPP. The effect is to make modular authentication, so that [RFC3501] and XMPP [RFC3920]. The effect is to make modular
newer authentication mechanisms can be added as needed. This memo authentication, so that newer authentication mechanisms can be added
specifies just such a mechanism. as needed. This memo specifies just such a mechanism.
The Generic Security Service Application Program Interface (GSS-API) The Generic Security Service Application Program Interface (GSS-API)
[RFC2743] provides a framework for applications to support multiple [RFC2743] provides a framework for applications to support multiple
authentication mechanisms through a unified programming interface. authentication mechanisms through a unified programming interface.
This document defines a pure SASL mechanism for SAML, but it conforms This document defines a pure SASL mechanism for SAML, but it conforms
to the new bridge between SASL and the GSS-API called GS2 [RFC5801]. to the new bridge between SASL and the GSS-API called GS2 [RFC5801].
This means that this document defines both a SASL mechanism and a This means that this document defines both a SASL mechanism and a
GSS-API mechanism. We want to point out that the GSS-API interface GSS-API mechanism. We want to point out that the GSS-API interface
is optional for SASL implementers, and the GSS-API considerations can is optional for SASL implementers, and the GSS-API considerations can
be avoided in environments that uses SASL directly without GSS-API. be avoided in environments that uses SASL directly without GSS-API.
skipping to change at page 3, line 43 skipping to change at page 3, line 43
As currently envisioned, this mechanism is to allow the interworking As currently envisioned, this mechanism is to allow the interworking
between SASL and SAML in order to assert identity and other between SASL and SAML in order to assert identity and other
attributes to relying parties. As such, while servers (as relying attributes to relying parties. As such, while servers (as relying
parties) will advertise SASL mechanisms (including SAML), clients parties) will advertise SASL mechanisms (including SAML), clients
will select the SAML SASL mechanism as their SASL mechanism of will select the SAML SASL mechanism as their SASL mechanism of
choice. choice.
The SAML mechanism described in this memo aims to re-use the The SAML mechanism described in this memo aims to re-use the
available SAML deployment to a maximum extent and therefore does not available SAML deployment to a maximum extent and therefore does not
establish a separate authentication, integrity and confidentiality establish a separate authentication, integrity and confidentiality
mechanism. It is anticipated that existing security layers, such as mechanism. The mechanisms assumes a security layer, such as
Transport Layer Security (TLS), will continued to be used. Transport Layer Security (TLS), to protect against some attacks.
Figure 1 describes the interworking between SAML and SASL: this Figure 1 describes the interworking between SAML and SASL: this
document requires enhancements to the Relying Party and to the Client document requires enhancements to the Relying Party and to the Client
(as the two SASL communication end points) but no changes to the SAML (as the two SASL communication end points) but no changes to the SAML
Identity Provider are necessary. To accomplish this goal some Identity Provider are necessary. To accomplish this goal some
indirect messaging is tunneled within SASL, and some use of external indirect messaging is tunneled within SASL, and some use of external
methods is made. methods is made.
+-----------+ +-----------+
| | | |
skipping to change at page 9, line 8 skipping to change at page 9, line 8
| | | | | |
----- = SASL ----- = SASL
- - - = HTTP or HTTPs (external to SASL) - - - = HTTP or HTTPs (external to SASL)
Figure 2: Authentication flow Figure 2: Authentication flow
4. SAML SASL Mechanism Specification 4. SAML SASL Mechanism Specification
Based on the previous figure, the following operations are performed Based on the previous figure, the following operations are performed
with the SAML SASL mechanism: with the SAML SASL mechanism.
The mechanism is "client first" as discussed in section 3 of
[RFC4422] which means that the initial server challenge will be empty
if the protocol does not support an initial client response.
4.1. Advertisement 4.1. Advertisement
To advertise that a server supports SAML 2.0, during application To advertise that a server supports SAML 2.0, during application
session initiation, it displays the name "SAML20" in the list of session initiation, it displays the name "SAML20" in the list of
supported SASL mechanisms. supported SASL mechanisms.
4.2. Initiation 4.2. Initiation
A client initiates a "SAML20" authentication with SASL by sending the A client initiates a "SAML20" authentication with SASL by sending the
skipping to change at page 9, line 34 skipping to change at page 9, line 38
Identifier = URI ; IdP URI Identifier = URI ; IdP URI
The "gs2-header" is specified in [RFC5801], and it is used as The "gs2-header" is specified in [RFC5801], and it is used as
follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the
channel binding "gs2-cb-flag" field, see Section 5. The "gs2- channel binding "gs2-cb-flag" field, see Section 5. The "gs2-
authzid" carries the optional authorization identity. URI is authzid" carries the optional authorization identity. URI is
specified in [RFC3986]. specified in [RFC3986].
4.3. Server Redirect 4.3. Server Redirect
The SASL Server transmits a redirect to the IdP that the user The SASL Server transmits a URI to the IdP that the user provided,
provided, with a SAML authentication request in the form of a SAML with a SAML authentication request in the form of a SAML assertion as
assertion as one of the parameters. one of the parameters.
redirect-url = URI
As before, URI is specified in [RFC3986].
4.4. Client Empty Response and other 4.4. Client Empty Response and other
The SASL client hands the URI it received from the server in the The SASL client hands the URI it received from the server in the
previous step to either a browser or other appropriate handler to previous step to either a browser or other appropriate handler to
continue authentication externally while sending an empty response to continue authentication externally while sending an empty response to
the SASL server. The URI is encoded according to Section 3.4 of the the SASL server. The URI is encoded according to Section 3.4 of the
SAML bindings 2.0 specification [OASIS.saml-bindings-2.0-os]. SAML bindings 2.0 specification [OASIS.saml-bindings-2.0-os].
empty-response = ""
4.5. Outcome and parameters 4.5. Outcome and parameters
The SAML authentication having completed externally, the SASL server The SAML authentication having completed externally, the SASL server
will transmit the outcome. will transmit the outcome of the authentication exchange as success
or failure.
5. SAML GSS-API Mechanism Specification 5. SAML GSS-API Mechanism Specification
This section and its sub-sections and all normative references of it This section and its sub-sections and all normative references of it
not referenced elsewhere in this document are INFORMATIONAL for SASL not referenced elsewhere in this document are INFORMATIONAL for SASL
implementors, but they are NORMATIVE for GSS-API implementors. implementors, but they are NORMATIVE for GSS-API implementors.
The SAML SASL mechanism is actually also a GSS-API mechanism. The The SAML SASL mechanism is actually also a GSS-API mechanism. The
messages are the same, but messages are the same, but
a) the GS2 header on the client's first message and channel binding a) the GS2 header on the client's first message and channel binding
data is excluded when SAML is used as a GSS-API mechanism, and data is excluded when SAML is used as a GSS-API mechanism, and
b) the RFC2743 section 3.1 initial context token header is prefixed b) the RFC2743 section 3.1 initial context token header is prefixed
to the client's first authentication message (context token). to the client's first authentication message (context token).
The GSS-API mechanism OID for SAML is 1.3.6.1.4.1.11591.4.8. The GSS-API mechanism OID for SAML is 1.3.6.1.4.1.11591.4.8.
SAML security contexts always have the mutual_state flag SAML20 security contexts always have the mutual_state flag
(GSS_C_MUTUAL_FLAG) set to TRUE. SAML does not support credential (GSS_C_MUTUAL_FLAG) set to TRUE. SAML does not support credential
delegation (FIXME), therefore SCRAM security contexts alway have the delegation, therefore SAML security contexts alway have the
deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE. deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE.
The SAML mechanism does not support (FIXME) per-message tokens or The SAML mechanism does not support per-message tokens or
GSS_Pseudo_random. GSS_Pseudo_random.
Note that the GSS-API mechanism MUST only be used by the client when
a secure channel with server authentication (e.g., TLS) is available.
5.1. GSS-API Principal Name Types for SAML 5.1. GSS-API Principal Name Types for SAML
SAML supports standard generic name syntaxes for acceptors such as SAML supports standard generic name syntaxes for acceptors such as
GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4.1). SAML GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4.1). SAML
supports only a single name type for initiators: GSS_C_NT_USER_NAME. supports only a single name type for initiators: GSS_C_NT_USER_NAME.
GSS_C_NT_USER_NAME is the default name type for SAML. The query, GSS_C_NT_USER_NAME is the default name type for SAML. The query,
display, and exported name syntaxes for SAML principal names are all display, and exported name syntaxes for SAML principal names are all
the same. There are no SAML-specific name syntaxes -- applications the same. There are no SAML-specific name syntaxes -- applications
should use generic GSS-API name types such as GSS_C_NT_USER_NAME and should use generic GSS-API name types such as GSS_C_NT_USER_NAME and
GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4). The exported GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4). The exported
name token does, of course, conform to [RFC2743], Section 3.2. GSS- name token does, of course, conform to [RFC2743], Section 3.2.
API name attributes may be defined in the future to hold the SAML
Subject Identifier.
6. Channel Binding 6. Channel Binding
The "gs2-cb-flag" MUST use "n" because channel binding data cannot be The "gs2-cb-flag" MUST use "n" because channel binding data cannot be
integrity protected by the SAML negotiation. integrity protected by the SAML negotiation. FIXME: Transfer channel
binding in SAML assertion?
7. Example 7. Examples
7.1. XMPP
Suppose the user has an identity at the SAML IdP saml.example.org and Suppose the user has an identity at the SAML IdP saml.example.org and
a Jabber Identifier (JID) "somenode@example.com", and wishes to a Jabber Identifier (JID) "somenode@example.com", and wishes to
authenticate his XMPP connection to xmpp.example.com. The authenticate his XMPP connection to xmpp.example.com. The
authentication on the wire would then look something like the authentication on the wire would then look something like the
following: following:
Step 1: Client initiates stream to server: Step 1: Client initiates stream to server:
<stream:stream xmlns='jabber:client' <stream:stream xmlns='jabber:client'
skipping to change at page 12, line 35 skipping to change at page 13, line 37
Step 3: Server informs client of available authentication mechanisms: Step 3: Server informs client of available authentication mechanisms:
<stream:features> <stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism> <mechanism>DIGEST-MD5</mechanism>
<mechanism>PLAIN</mechanism> <mechanism>PLAIN</mechanism>
<mechanism>SAML20</mechanism> <mechanism>SAML20</mechanism>
</mechanisms> </mechanisms>
</stream:features> </stream:features>
Step 4: Client selects an authentication mechanism: Step 4: Client selects an authentication mechanism and provides the
initial client response:
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'> <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'>
https://saml.example.org</auth> n,,https://saml.example.org</auth>
Step 5: Server sends a BASE64 [RFC4648] encoded challenge to client Step 5: Server sends a BASE64 [RFC4648] encoded challenge to client
in the form of an HTTP Redirect to the SAML IdP with the SAML in the form of an HTTP Redirect to the SAML IdP with the SAML
Authentication Request as specified in the redirection url: Authentication Request as specified in the redirection url:
SFRUUC8xLjEgMzAyIE9iamVjdCBNb3ZlZCBEYXRlOiAyMiBPY3QgMjAwOSAwNzowMDo0OS aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1MUmVx
BHTVQgTG9jYXRpb246DQpodHRwczovL3NhbWwuZXhhbXBsZS5vcmcvU0FNTC9Ccm93c2Vy dWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz
P1NBTUxSZXF1ZXN0PQ0KUEhOaGJXeHdPa0YxZEdodVVtVnhkV1Z6ZENCNGJXeHVjenB6WV Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnli
cxc2NEMGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Ng0KTWk0d09uQnliM1J2 M1J2WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9U
WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9UQTVZVE13Wm1ZeF QTVZVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQldaWEp6YVc5
pUTXhNVFk0TXpJMw0KWmpjNU5EYzBPVGcwSWlCV1pYSnphVzl1UFNJeUxqQWlEUW9nSUNB dVBTSXlMakFpRFFvZ0lDQWdTWE56ZFdWSmJuTjBZVzUwUFNJeU1EQTNMVEV5
Z1NYTnpkV1ZKYm5OMFlXNTBQU0l5TURBM0xURXlMVEV3VkRFeA0KT2pNNU9qTTBXaUlnUm TFRFd1ZERXhPak01T2pNMFdpSWdSbTl5WTJWQmRYUm9iajBpWm1Gc2MyVWlE
05eVkyVkJkWFJvYmowaVptRnNjMlVpRFFvZ0lDQWdTWE5RWVhOemFYWmxQU0ptWVd4elpT UW9nSUNBZ1NYTlFZWE56YVhabFBTSm1ZV3h6WlNJTkNpQWdJQ0JRY205MGIy
SU5DaUFnSUNCUQ0KY205MGIyTnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbG TnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUx
N6cDBZenBUUVUxTU9qSXVNRHBpYVc1a2FXNW5jenBJVkZSUQ0KTFZCUFUxUWlEUW9nSUNB TU9qSXVNRHBpYVc1a2FXNW5jenBJVkZSUUxWQlBVMVFpRFFvZ0lDQWdRWE56
Z1FYTnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05sVlZKTVBRMEtJQ0FnSUNBZ0lDQW WlhKMGFXOXVRMjl1YzNWdFpYSlRaWEoyYVdObFZWSk1QUTBLSUNBZ0lDQWdJ
lhSFIwY0hNNg0KTHk5NGJYQndMbVY0WVcxd2JHVXVZMjl0TDFOQlRVd3ZRWE56WlhKMGFX Q0FpYUhSMGNITTZMeTk0YlhCd0xtVjRZVzF3YkdVdVkyOXRMMU5CVFV3dlFY
OXVRMjl1YzNWdFpYSlRaWEoyYVdObElqNE5DaUE4YzJGdA0KYkRwSmMzTjFaWElnZUcxc2 TnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05sSWo0TkNpQThjMkZ0YkRw
JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09tRnpj SmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6
MlZ5ZEdsdg0KYmlJK0RRb2dJQ0FnSUdoMGRIQnpPaTh2ZUcxd2NDNWxlR0Z0Y0d4bExtTn T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSStEUW9nSUNBZ0lHaDBk
ZiUTBLSUR3dmMyRnRiRHBKYzNOMVpYSStEUW9nUEhOaA0KYld4d09rNWhiV1ZKUkZCdmJH SEJ6T2k4dmVHMXdjQzVsZUdGdGNHeGxMbU52YlEwS0lEd3ZjMkZ0YkRwSmMz
bGplU0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVX TjFaWEkrRFFvZ1BITmhiV3h3T2s1aGJXVkpSRkJ2YkdsamVTQjRiV3h1Y3pw
c2TWk0dw0KT25CeWIzUnZZMjlzSWcwS0lDQWdJQ0JHYjNKdFlYUTlJblZ5YmpwdllYTnBj ellXMXNjRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJqT2xOQlRVdzZNaTR3
enB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB1WVcxbA0KYVdRdFptOXliV0YwT25CbGNuTn T25CeWIzUnZZMjlzSWcwS0lDQWdJQ0JHYjNKdFlYUTlJblZ5YmpwdllYTnBj
BjM1JsYm5RaURRb2dJQ0FnSUZOUVRtRnRaVkYxWVd4cFptbGxjajBpZUcxd2NDNWxlR0Z0 enB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB1WVcxbGFXUXRabTl5YldGME9u
Y0d4bA0KTG1OdmJTSWdRV3hzYjNkRGNtVmhkR1U5SW5SeWRXVWlJQzgrRFFvZ1BITmhiV3 Qmxjbk5wYzNSbGJuUWlEUW9nSUNBZ0lGTlFUbUZ0WlZGMVlXeHBabWxsY2ow
h3T2xKbGNYVmxjM1JsWkVGMWRHaHVRMjl1ZEdWNA0KZEEwS0lDQWdJQ0I0Yld4dWN6cHpZ aWVHMXdjQzVsZUdGdGNHeGxMbU52YlNJZ1FXeHNiM2REY21WaGRHVTlJblJ5
VzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WT ZFdVaUlDOCtEUW9nUEhOaGJXeHdPbEpsY1hWbGMzUmxaRUYxZEdodVEyOXVk
I5cw0KSWlBTkNpQWdJQ0FnSUNBZ1EyOXRjR0Z5YVhOdmJqMGlaWGhoWTNRaVBnMEtJQ0E4 R1Y0ZEEwS0lDQWdJQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9t
YzJGdGJEcEJkWFJvYmtOdmJuUmxlSFJEYkdGeg0KYzFKbFpnMEtJQ0FnSUNBZ2VHMXNibk NWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQU5DaUFnSUNB
02YzJGdGJEMGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Nk1pNHdPbUZ6YzJW Z0lDQWdRMjl0Y0dGeWFYTnZiajBpWlhoaFkzUWlQZzBLSUNBOGMyRnRiRHBC
eQ0KZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhNNmRHTTZVMEZOVE ZFhSb2JrTnZiblJsZUhSRGJHRnpjMUpsWmcwS0lDQWdJQ0FnZUcxc2JuTTZj
RveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOeg0KZDI5eVpGQnliM1JsWTNSbFpGUnlZVzV6 MkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09t
Y0c5eWRBMEtJQ0E4TDNOaGJXdzZRWFYwYUc1RGIyNTBaWGgwUTJ4aGMzTlNaV1krRFFvZw RnpjMlZ5ZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhN
0KUEM5ellXMXNjRHBTWlhGMVpYTjBaV1JCZFhSb2JrTnZiblJsZUhRK0lBMEtQQzl6WVcx NmRHTTZVMEZOVERveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOemQyOXlaRkJ5
c2NEcEJkWFJvYmxKbGNYVmxjM1Er YjNSbFkzUmxaRlJ5WVc1emNHOXlkQTBLSUNBOEwzTmhiV3c2UVhWMGFHNURi
MjUwWlhoMFEyeGhjM05TWldZK0RRb2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpX
UkJkWFJvYmtOdmJuUmxlSFErSUEwS1BDOXpZVzFzY0RwQmRYUm9ibEpsY1hW
bGMzUSs=
The decoded challenge is: The decoded challenge is:
HTTP/1.1 302 Object Moved Date: 22 Oct 2009 07:00:49 GMT Location: https://saml.example.org/SAML/Browser?SAMLRequest=PHNhbWxwOk
https://saml.example.org/SAML/Browser?SAMLRequest= F1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOl
PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOl NBTUw6Mi4wOnByb3RvY29sIg0KICAgIElEPSJfYmVjNDI0ZmE1MTAzNDI4OT
NBTUw6Mi4wOnByb3RvY29sIg0KICAgIElEPSJfYmVjNDI0ZmE1MTAzNDI4OTA5YTMwZmYx A5YTMwZmYxZTMxMTY4MzI3Zjc5NDc0OTg0IiBWZXJzaW9uPSIyLjAiDQogIC
ZTMxMTY4MzI3Zjc5NDc0OTg0IiBWZXJzaW9uPSIyLjAiDQogICAgSXNzdWVJbnN0YW50PS AgSXNzdWVJbnN0YW50PSIyMDA3LTEyLTEwVDExOjM5OjM0WiIgRm9yY2VBdX
IyMDA3LTEyLTEwVDExOjM5OjM0WiIgRm9yY2VBdXRobj0iZmFsc2UiDQogICAgSXNQYXNz Robj0iZmFsc2UiDQogICAgSXNQYXNzaXZlPSJmYWxzZSINCiAgICBQcm90b2
aXZlPSJmYWxzZSINCiAgICBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0Yz NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW
pTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiDQogICAgQXNzZXJ0aW9uQ29uc3VtZXJT 5nczpIVFRQLVBPU1QiDQogICAgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVV
ZXJ2aWNlVVJMPQ0KICAgICAgICAiaHR0cHM6Ly94bXBwLmV4YW1wbGUuY29tL1NBTUwvQX JMPQ0KICAgICAgICAiaHR0cHM6Ly94bXBwLmV4YW1wbGUuY29tL1NBTUwvQX
NzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIj4NCiA8c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0i NzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIj4NCiA8c2FtbDpJc3N1ZXIgeG1sbn
dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+DQogICAgIGh0dHBzOi M6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbi
8veG1wcC5leGFtcGxlLmNvbQ0KIDwvc2FtbDpJc3N1ZXI+DQogPHNhbWxwOk5hbWVJRFBv I+DQogICAgIGh0dHBzOi8veG1wcC5leGFtcGxlLmNvbQ0KIDwvc2FtbDpJc3
bGljeSB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY2 N1ZXI+DQogPHNhbWxwOk5hbWVJRFBvbGljeSB4bWxuczpzYW1scD0idXJuOm
9sIg0KICAgICBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQt 9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIg0KICAgICBGb3JtYX
Zm9ybWF0OnBlcnNpc3RlbnQiDQogICAgIFNQTmFtZVF1YWxpZmllcj0ieG1wcC5leGFtcG Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0On
xlLmNvbSIgQWxsb3dDcmVhdGU9InRydWUiIC8+DQogPHNhbWxwOlJlcXVlc3RlZEF1dGhu BlcnNpc3RlbnQiDQogICAgIFNQTmFtZVF1YWxpZmllcj0ieG1wcC5leGFtcG
Q29udGV4dA0KICAgICB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi xlLmNvbSIgQWxsb3dDcmVhdGU9InRydWUiIC8+DQogPHNhbWxwOlJlcXVlc3
4wOnByb3RvY29sIiANCiAgICAgICAgQ29tcGFyaXNvbj0iZXhhY3QiPg0KICA8c2FtbDpB RlZEF1dGhuQ29udGV4dA0KICAgICB4bWxuczpzYW1scD0idXJuOm9hc2lzOm
dXRobkNvbnRleHRDbGFzc1JlZg0KICAgICAgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbW 5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiANCiAgICAgICAgQ29tcGFyaX
VzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+DQogoCAgICB1cm46b2FzaXM6bmFtZXM6dGM6 Nvbj0iZXhhY3QiPg0KICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZg0KIC
U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydA0KICA8L3 AgICAgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm
NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogPC9zYW1scDpSZXF1ZXN0ZWRBdXRobkNv Fzc2VydGlvbiI+DQogICAgICAgICAgIHVybjpvYXNpczpuYW1lczp0YzpTQU
bnRleHQ+IA0KPC9zYW1scDpBdXRoblJlcXVlc3Q+ 1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0DQ
ogIDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiA8L3NhbWxwOlJlcX
Vlc3RlZEF1dGhuQ29udGV4dD4gDQo8L3NhbWxwOkF1dGhuUmVxdWVzdD4=
Where the decoded SAMLRequest looks like: Where the decoded SAMLRequest looks like:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0" ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0"
IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false" IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false"
IsPassive="false" IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL= AssertionConsumerServiceURL=
"https://xmpp.example.com/SAML/AssertionConsumerService"> "https://xmpp.example.com/SAML/AssertionConsumerService">
skipping to change at page 17, line 5 skipping to change at page 18, line 17
Step 11: Server informs client of successful resource binding: Step 11: Server informs client of successful resource binding:
<iq type='result' id='bind_1'> <iq type='result' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>somenode@example.com/someresource</jid> <jid>somenode@example.com/someresource</jid>
</bind> </bind>
</iq> </iq>
Please note: line breaks were added to the base64 for clarity. Please note: line breaks were added to the base64 for clarity.
7.2. IMAP
The following describes an IMAP exchange. Lines beginning with 'S:'
indicate data sent by the server, and lines starting with 'C:'
indicate data sent by the client. Long lines are wrapped for
readability.
S: * OK IMAP4rev1
C: . CAPABILITY
S: * CAPABILITY IMAP4rev1 STARTTLS
S: . OK CAPABILITY Completed
C: . STARTTLS
S: . OK Begin TLS negotiation now
C: . CAPABILITY
S: * CAPABILITY IMAP4rev1 AUTH=SAML20
S: . OK CAPABILITY Completed
C: . AUTHENTICATE SAML20
S: +
C: biwsaHR0cHM6Ly9zYW1sLmV4YW1wbGUub3Jn
S: + aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1MUmVx
dWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz
Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnli
M1J2WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9U
QTVZVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQldaWEp6YVc5
dVBTSXlMakFpRFFvZ0lDQWdTWE56ZFdWSmJuTjBZVzUwUFNJeU1EQTNMVEV5
TFRFd1ZERXhPak01T2pNMFdpSWdSbTl5WTJWQmRYUm9iajBpWm1Gc2MyVWlE
UW9nSUNBZ1NYTlFZWE56YVhabFBTSm1ZV3h6WlNJTkNpQWdJQ0JRY205MGIy
TnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUx
TU9qSXVNRHBpYVc1a2FXNW5jenBJVkZSUUxWQlBVMVFpRFFvZ0lDQWdRWE56
WlhKMGFXOXVRMjl1YzNWdFpYSlRaWEoyYVdObFZWSk1QUTBLSUNBZ0lDQWdJ
Q0FpYUhSMGNITTZMeTk0YlhCd0xtVjRZVzF3YkdVdVkyOXRMMU5CVFV3dlFY
TnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05sSWo0TkNpQThjMkZ0YkRw
SmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6
T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSStEUW9nSUNBZ0lHaDBk
SEJ6T2k4dmVHMXdjQzVsZUdGdGNHeGxMbU52YlEwS0lEd3ZjMkZ0YkRwSmMz
TjFaWEkrRFFvZ1BITmhiV3h3T2s1aGJXVkpSRkJ2YkdsamVTQjRiV3h1Y3pw
ellXMXNjRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJqT2xOQlRVdzZNaTR3
T25CeWIzUnZZMjlzSWcwS0lDQWdJQ0JHYjNKdFlYUTlJblZ5YmpwdllYTnBj
enB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB1WVcxbGFXUXRabTl5YldGME9u
Qmxjbk5wYzNSbGJuUWlEUW9nSUNBZ0lGTlFUbUZ0WlZGMVlXeHBabWxsY2ow
aWVHMXdjQzVsZUdGdGNHeGxMbU52YlNJZ1FXeHNiM2REY21WaGRHVTlJblJ5
ZFdVaUlDOCtEUW9nUEhOaGJXeHdPbEpsY1hWbGMzUmxaRUYxZEdodVEyOXVk
R1Y0ZEEwS0lDQWdJQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9t
NWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQU5DaUFnSUNB
Z0lDQWdRMjl0Y0dGeWFYTnZiajBpWlhoaFkzUWlQZzBLSUNBOGMyRnRiRHBC
ZFhSb2JrTnZiblJsZUhSRGJHRnpjMUpsWmcwS0lDQWdJQ0FnZUcxc2JuTTZj
MkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09t
RnpjMlZ5ZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhN
NmRHTTZVMEZOVERveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOemQyOXlaRkJ5
YjNSbFkzUmxaRlJ5WVc1emNHOXlkQTBLSUNBOEwzTmhiV3c2UVhWMGFHNURi
MjUwWlhoMFEyeGhjM05TWldZK0RRb2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpX
UkJkWFJvYmtOdmJuUmxlSFErSUEwS1BDOXpZVzFzY0RwQmRYUm9ibEpsY1hW
bGMzUSs=
C:
S: . OK Success (tls protection)
8. Security Considerations 8. Security Considerations
This section will address only security considerations associated This section will address only security considerations associated
with the use of SAML with SASL applications. For considerations with the use of SAML with SASL applications. For considerations
relating to SAML in general, the reader is referred to the SAML relating to SAML in general, the reader is referred to the SAML
specification and to other literature. Similarly, for general SASL specification and to other literature. Similarly, for general SASL
Security Considerations, the reader is referred to that Security Considerations, the reader is referred to that
specification. specification.
8.1. Binding SAML subject identifiers to Authorization Identities 8.1. Man in the middle and Tunneling Attacks
This mechanism is vulnerable to man in the middle and tunneling
attacks unless a client always verify the server identity before
proceeding with authentication. Typically TLS is used to provide a
secure channel with server authentication.
8.2. Binding SAML subject identifiers to Authorization Identities
As specified in [RFC4422], the server is responsible for binding As specified in [RFC4422], the server is responsible for binding
credentials to a specific authorization identity. It is therefore credentials to a specific authorization identity. It is therefore
necessary that only specific trusted IdPs be allowed. This is necessary that only specific trusted IdPs be allowed. This is
typical part of SAML trust establishment between RP's and IdP. typical part of SAML trust establishment between RP's and IdP.
8.2. User Privacy 8.3. User Privacy
The IdP is aware of each RP that a user logs into. There is nothing The IdP is aware of each RP that a user logs into. There is nothing
in the protocol to hide this information from the IdP. It is not a in the protocol to hide this information from the IdP. It is not a
requirement to track the visits, but there is nothing that prohibits requirement to track the visits, but there is nothing that prohibits
the collection of information. SASL servers should be aware that the collection of information. SASL servers should be aware that
SAML IdPs will track - to some extent - user access to their SAML IdPs will track - to some extent - user access to their
services. services.
8.3. Collusion between RPs 8.4. Collusion between RPs
It is possible for RPs to link data that they have collected on you. It is possible for RPs to link data that they have collected on you.
By using the same identifier to log into every RP, collusion between By using the same identifier to log into every RP, collusion between
RPs is possible. In SAML, targeted identity was introduced. RPs is possible. In SAML, targeted identity was introduced.
Targeted identity allows the IdP to transform the identifier the user Targeted identity allows the IdP to transform the identifier the user
typed in to an opaque identifier. This way the RP would never see typed in to an opaque identifier. This way the RP would never see
the actual user identifier, but a randomly generated identifier. the actual user identifier, but a randomly generated identifier.
This is an option the user has to understand and decide to use if the This is an option the user has to understand and decide to use if the
IdP is supporting it. IdP is supporting it.
skipping to change at page 19, line 5 skipping to change at page 22, line 5
Security Considerations: See this document Security Considerations: See this document
Published Specification: See this document Published Specification: See this document
For further information: Contact the authors of this document. For further information: Contact the authors of this document.
Owner/Change controller: the IETF Owner/Change controller: the IETF
Note: None Note: None
10. Normative References 10. References
10.1. Normative References
[OASIS.saml-bindings-2.0-os] [OASIS.saml-bindings-2.0-os]
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
Maler, "Bindings for the OASIS Security Assertion Markup Maler, "Bindings for the OASIS Security Assertion Markup
Language (SAML) V2.0", OASIS Language (SAML) V2.0", OASIS
Standard saml-bindings-2.0-os, March 2005. Standard saml-bindings-2.0-os, March 2005.
[OASIS.saml-core-2.0-os] [OASIS.saml-core-2.0-os]
Cantor, S., Kemp, J., Philpott, R., and E. Maler, Cantor, S., Kemp, J., Philpott, R., and E. Maler,
"Assertions and Protocol for the OASIS Security Assertion "Assertions and Protocol for the OASIS Security Assertion
skipping to change at page 20, line 5 skipping to change at page 23, line 5
Security Layer (SASL)", RFC 4422, June 2006. Security Layer (SASL)", RFC 4422, June 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API) Mechanisms Service Application Program Interface (GSS-API) Mechanisms
in Simple Authentication and Security Layer (SASL): The in Simple Authentication and Security Layer (SASL): The
GS2 Mechanism Family", RFC 5801, July 2010. GS2 Mechanism Family", RFC 5801, July 2010.
10.2. Informative References
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003.
[RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 3920, October 2004.
Appendix A. Acknowledgments Appendix A. Acknowledgments
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan, Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan,
Stefan Plug and Hannes Tschofenig for their review and contributions. Stefan Plug and Hannes Tschofenig for their review and contributions.
Appendix B. Changes Appendix B. Changes
This section to be removed prior to publication. This section to be removed prior to publication.
 End of changes. 28 change blocks. 
99 lines changed or deleted 198 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/