[standards-jig] UPDATED: Jabber HTTP Polling (JEP-0025)

Mike Lin mikelin at MIT.EDU
Mon Sep 23 19:14:27 CDT 2002


Hi guys, I think the security provided in the new JEP-0025 is sufficient.
Although it doesn't protect against man-in-the-middle attacks, there are
understandable considerations wrt computational expense in hashing the
payload.

Back when I was first bitching about JEP-0025, in response to computational
concerns I suggested that we might use a ticket algorithm that depends on a
shared secret (the user's password) in order to predetermine all the tickets
for the stream. The potential optimization here is that since all the
tickets are predetermined, the server might precompute and cache them during
idle cycles, and thus distribute its workload more intelligently. The
ZeroK-like algorithm described in the new JEP-0025, however, requires that
the server run a SHA-1 hash after the request is received and before it is
processed.

I think it was Joe that raised this objection to what I proposed: the
dependence on the user's password as the shared secret means that the HTTP
polling daemon can't be its own separate unit because it has to have
knowledge of the user's password in cleartext. This is a fair point, but if
computational expense is the rationale for not hashing the whole payload,
then I would suggest it might be worth considering.

-Mike

----- Original Message -----
>From: "Peter Saint-Andre" <stpeter at jabber.org>
To: <standards-jig at jabber.org>
Sent: Monday, September 23, 2002 7:28 PM
Subject: [standards-jig] UPDATED: Jabber HTTP Polling (JEP-0025)


> David Waite has sent me an updated version of JEP-0025. This is not a
> standards-track JEP. Instead it is an informational JEP describing the
> protocol for Jabber, Inc.'s use of HTTP polling for Jabber communications.
> You may review the document here:
>
> http://www.jabber.org/jeps/jep-0025.html
>
> Peter
>
> --
> Peter Saint-Andre
> Jabber Software Foundation
> http://www.jabber.org/people/stpeter.html
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
>




More information about the Standards-JIG mailing list