[Standards-JIG] JEP-0070: Transaction ID in Digest method

Maciek Niedzielski machekku at uaznia.net
Tue May 30 11:44:19 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maciek Niedzielski wrote:
> Let's say I want to use JEP-70 with digest method.
> My web browser sends a hash (eg. MD5) of my JID + transaction ID +
> something else. A bit later, as the JEP says:
> "HTTP Server MUST pass the URL, method, JID, and transaction identifier
> to the XMPP Server for confirmation"
> How exactly the server may know the transaction identifier, if it was
> transformed by unidirectional hash function?
> 
> I think that this ID could be passed via cnonce, since it really matches
> the original semantics of this argument.

Or maybe more secure solution would be: ask XMPP Client to provide the
same transaction ID and then compare the hashes. But this could be a
problem when one user has multiple HTTP sessions at the same time.


- --
Maciek                       A: It's against natural order of reading.
 xmpp:machekku at uaznia.net   Q: Why is that?
 xmpp:machekku at chrome.pl   A: People answering above quoted text.
                          Q: What's the most annoying on newsgroups?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEfC+R7knNPWzAbeURAgOrAJ46KaGLxXYE1vG+SGLWxfhU9MfB2gCdH5AL
lwwBXtziIeBmfKMr8tLrQ2U=
=RJw+
-----END PGP SIGNATURE-----



More information about the Standards mailing list