[Members] Jabber Software Map

Ulrich Staudinger us at activestocks.de
Fri Dec 2 06:46:44 CST 2005


On Fri, Dec 02, 2005 at 12:27:47PM -0000, Richard Dobson wrote:
> >I think it is a bad idea altogether to promote 1 central server, in a 
> >protocol
> >aimed at distribution. Instead, we should try our best to distribute
> >users over a set of good servers.
> 
> +1

Having a server where users can  im and use web site services with one
and the same account is not the same as promoting one central server. 

Being able to login in IM and on the web is just strengthening a site. 

We are not saying "Hey, all use jabber.org for xmpp messaging, all other
server are no good!", we are only leveraging the jabber technology, we
are using the user directory of the jabber server to provide a
personalized service for end users and developers. 

And the argument that j.o was hacked already doesn't really mean
anything. The only thing it means is that it could be hacked because
someone didn't take care. If we really go live with the software map
and with a bridged user directory (one way or the other) we would have
to make sure that the user informations do not get compromised. 

I think providing a common login to j.o for users registered at IM-j.o
is simply out of discussion - if we want to enhance the j.o site we
will need personalized services sooner or later anyway. 

Another issue is that we always have the possibility (in order to make
things safe) of putting a password validator application on the jabberd machine.

By that i mean: 
* A simple http server application (just some lines of code) that will
requests from one specific ip only 
* an application that does just provide one function call: validate(jid,
pwd)
* provides this function over http, like:
http://athene.jabber.org:9999/validate?jid=uls@jabber.org&pwd=ex1318
* will return true or false in the request body. 

That way we would have a nice facade between the userbase and the web
application without compromising the safety of the j.o userbase. 

We could then still add request throttling to the http application to
permit only a certain amount of validation requests per minute or so ...

Does that sound better than direct access to the authreg table ?


Cheers,
Ulrich





More information about the Members mailing list