[Standards] HTTP Authentication with XMPP (Concern over XEP-70)
Alex Jones
alex at weej.com
Wed Dec 19 12:44:22 CST 2007
Hi list
A few months ago, I became concerned with XEP-70: Verifying HTTP
Requests via XMPP[1]. As far as I can tell, deployment of this XEP
would potentially allow for malicious abuse.
The protocol seems to be a little backward, in that I can provide a
relying party with any arbitrary JID (in the HTTP request), and then
they will send a message to that JID. This is a bad idea, and it
allows me to initiate spam against anyone I know the JID of.
What's going on with XEP-101: HTTP Authentication Using Jabber
Tickets[2]? It's "Deferred", yet it seems to, more or less, do the
same thing in a better fashion.
I'd like to point out that deployment of something of this type could
potentially be a much better solution to the problem of decentralised
authentication than OpenID, which lately seems to be a little misguided.
I envisage going to a website, clicking "Authenticate via XMPP",
having my browser and my XMPP client do some IPC magic and prompt me
to choose an identity (i.e. a JID) for which to authenticate as, and
then be authenticated with the website.
Cheers
[1] http://www.xmpp.org/extensions/xep-0070.html
[2] http://www.xmpp.org/extensions/xep-0101.html
More information about the Standards
mailing list