[Security] client-to-client security :: Summary and todo's

Pedro Melo melo at simplicidade.org
Sun Aug 24 02:51:55 CDT 2008


Hi,

On Aug 23, 2008, at 4:08 PM, Pavel Simerda wrote:
> On Sat, 23 Aug 2008 16:23:28 +0200
> Dirk Meyer <dmeyer at tzi.de> wrote:
>
>> Pedro Melo wrote:
>>> I can ask my XMPP server for a opaque token that I provide to my bot
>>> and he can use that to authenticate.
>>>
>>> Having said that, I also like your "upload-certificate" idea.
>>
>> Combine OAuth with SASL for server login .... nice one. Use your XMPP
>> connection to generate a token and give that to the new not-so- 
>> trusted
>> client and it can log in with it. The client gives away its
>> certificate for future logins.
>
> Isn't OAuth HTTP? Does it bring anything useful enough for XMPP  
> instead
> of a need to use HTTP besides? Correct me if I'm wrong.

The conversation spliced IMHO.

Getting the OAuth token is done over HTTP, but you can provide it via  
XMPP (this was clarified in the recent XMPP meeting at OSCON, I don't  
know if XEP-0235 was updated with that feedback, but see Peter's blog  
post on the subject - https://stpeter.im/?p=2228).

My proposal is similar to OAuth, in the sense that a authorized  
client asks from the service provider a token that allows whoever  
uses it access to the user resources.

But it was not OAuth over XMPP.

FYI, I know of at least two implementations that have extended the  
normal XMPP authentication with token-based methods, in which you get  
a token via other protocol (usually HTTP) and then use it to  
authenticate. One of them is Google (see http://dystopics.dump.be/ 
2006/02/04/the-mysteries-of-x-google-token-and-why-it-matters/ for  
some details on how it works).

>>>> I also need the server to help me find a TURN server I can use if I
>>>> need one.
>>>
>>> Isn't this a problem to be solved by the Jingle specs?
>>
>> Yes. On the list we only need to know that there is way to open a
>> stream between clients. How we do that should be discussed on the
>> jingle list.
>
> True enough.

+1

Best regards,
-- 
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org
Use XMPP!




More information about the Security mailing list