[Security] client-to-client security :: Summary and todo's

Pavel Simerda pavlix at pavlix.net
Sat Aug 23 10:08:21 CDT 2008

On Sat, 23 Aug 2008 16:23:28 +0200
Dirk Meyer <dmeyer at tzi.de> wrote:

> Pedro Melo wrote:
> > Hi,
> >
> > On Aug 23, 2008, at 2:12 PM, Dirk Meyer wrote:
> >> IMHO OAuth is kind of stupid. I have to trust a server I do not
> >> know. No, the point is that I can upload a certificate to my XMPP
> >> server and the owner of that certificate (a bot, a client I do not
> >> trust) can log in using SASL-EXTERNAL as me without having the
> >> password.
> >
> > OAuth is not stupid. The server you do not trust is your own XMPP
> > server. If you don't trust that, well, what are you doing connected
> > to him?
> Oops, sorry, I messed up OAuth and OpenID. My fault, ignore me.

Neither OpenID seems stupid to me. "Stupid" is a word that only means
you didn't bother to find more information. When one knows what's going
on, he might use "insuitable for oure purpose because...".

> > I can ask my XMPP server for a opaque token that I provide to my bot
> > and he can use that to authenticate.
> >
> > Having said that, I also like your "upload-certificate" idea.
> Combine OAuth with SASL for server login .... nice one. Use your XMPP
> connection to generate a token and give that to the new not-so-trusted
> client and it can log in with it. The client gives away its
> certificate for future logins.

Isn't OAuth HTTP? Does it bring anything useful enough for XMPP instead
of a need to use HTTP besides? Correct me if I'm wrong.

> >>> Yes, what do we need from the server? In a perfect world I would
> >>> hope not to have to go through the server apart from the Jingle
> >>> negotiation? Ok, and IBB-Jingle fallback.
> >>
> >> In that case we need a SOCKS5 proxy or a TURN server. I prefer the
> >> TURN server but we lack ice-tcp support to use it.
> >
> > If you can negotiate a direct TCP (or TCP-like with order
> > guarantees) via ICE, much better.
> Direct should be possible if only one is behind a NAT or a
> firewall. If both are you need the help of a TURN server. Well, there
> is STUNT (STUN over TCP) but IMHO this is a bad hack and it won't work
> with all router. You could also add UPnP IGD to open a port on your
> router, or the similar method apple used (I can not remember the name
> right now, it is an IETF draft) or you can put a TURN server on your
> router.

Erm, there are many possibilities to start a session between two
clients behind a NAT. Why do we have Jingle-ICE if not for sending data
over NATs? UPNP is a good choice when users have access to router
administration (home use).

> >> I also need the server to help me find a TURN server I can use if I
> >> need one.
> >
> > Isn't this a problem to be solved by the Jingle specs?
> Yes. On the list we only need to know that there is way to open a
> stream between clients. How we do that should be discussed on the
> jingle list.

True enough.

> Dirk


Web: http://www.pavlix.net/
Jabber & Mail: pavlix(at)pavlix.net
OpenID: pavlix.net

More information about the Security mailing list