13 Jan
2025
13 Jan
'25
4:50 a.m.
This message constitutes notice of a Last Call for comments on
XEP-0484.
Title: Fast Authentication Streamlining Tokens
Abstract:
This specification defines a token-based method to streamline
authentication in XMPP, allowing fully authenticated stream
establishment within a single round-trip.
URL: https://xmpp.org/extensions/xep-0484.html
This Last Call begins today and shall end at the close of business on
2025-01-27.
Please consider the following questions during this Last Call and send
your feedback to the standards(a)xmpp.org discussion list:
1. Is this specification needed to fill gaps in the XMPP protocol
stack or to clarify an existing protocol?
2. Does the specification solve the problem stated in the introduction
and requirements?
3. Do you plan to implement this specification in your code? If not,
why not?
4. Do you have any security concerns related to this specification?
5. Is the specification accurate and clearly written?
Your feedback is appreciated!
13 Jan
13 Jan
7:35 a.m.
On Mon, Jan 13, 2025 at 12:50 PM Daniel Gultsch <daniel(a)gultsch.de> wrote:
This message constitutes notice of a Last Call for comments on
XEP-0484.
Title: Fast Authentication Streamlining Tokens
Abstract:
This specification defines a token-based method to streamline
authentication in XMPP, allowing fully authenticated stream
establishment within a single round-trip.
URL: https://xmpp.org/extensions/xep-0484.html
This Last Call begins today and shall end at the close of business on
2025-01-27.
Please consider the following questions during this Last Call and send
your feedback to the standards(a)xmpp.org discussion list:
1. Is this specification needed to fill gaps in the XMPP protocol
stack or to clarify an existing protocol?
Yes. Making login/resumption faster is important and FAST is the last
building block in the new SASL2/Bind 2 stack that isn’t stable yet.
2. Does the specification solve the problem stated in
the introduction
and requirements?
yes
3. Do you plan to implement this specification in your
code? If not,
why not?
Yes it’s implemented in Conversations
4. Do you have any security concerns related to this
specification?
Yes. I think the section 3.2 as well as the security considerations
are missing text that instruct developers not to downgrade their
channel binding method compared to their normal login method. Meaning
when logged in with SCRAM-SHA1-PLUS/exporter only tokens that use an
equivalent or better channel binding mechanism should be requested
and/or excepted.
The channel bindings for normal login are protected via XEP-0474: SASL
SCRAM Downgrade Protection while the fast mechanisms are not covered
by this. That’s fine if and only if we add language to 484 saying that
clients should not request anything weaker than used during login.
5. Is the specification accurate and clearly written?
Yes
5
days inactive
5
days old
1 comments
1 participants
participants (1)
-
Daniel Gultsch