[JDEV] Re: Verifying Jabber + External Ident apps + Presence scalability + New protocol ideas submissions

Dave Smith dave at jabber.org
Tue Jun 26 07:44:28 CDT 2001


This is a very interesting idea -- while I don't necessarily like M$'s
Passport schema (especially the part where you must auth via M$), I
think there may be merit there.

I strongly disagree with the idea of sending an IP embedded in
presence -- not only is it not scalable, it also doesn't really solve
any authentication problem. Just because you recieve presence from
someone with an IP doesn't mean that person is actually on that
box. Also, as someone further down the thread pointed out, many people
are behind firewalls and pooled connections, so this concept just
doesn't work.

Realistically, what you're looking for is something along the lines of
kerberos. In a kerberos style setup, you authenticate once against a
central server and then are assigned a special "ticket" for a
specified amount of time. When you visit other entities which support
kerberos auth, you present the ticket and they query the central auth
server for the validity of the ticket. In this way, you can be behind
a firewall or whatever and still have a way of uniquely identifying a
person. Furthermore, the 3rd party doesn't know your password -- all
they have is a one-time, time-limited chunk of data with which to
validate you. 

I'm not totally up to speed on the details of kerberos, but I believe
this is the general operation. Alternatively, one could implement a
system which behaves similarly using some mix of GPG/PGP.


More information about the JDev mailing list