[Standards-JIG] JEP-0070: Transaction ID in Digest method

Maciek Niedzielski machekku at uaznia.net
Tue May 30 17:45:53 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Saint-Andre wrote:
> Maciek Niedzielski wrote:
>>> Let's say I want to use JEP-70 with digest method.
>>> My web browser sends a hash (eg. MD5) of my JID + transaction ID +
>>> something else. A bit later, as the JEP says:
>>> "HTTP Server MUST pass the URL, method, JID, and transaction identifier
>>> to the XMPP Server for confirmation"
>>> How exactly the server may know the transaction identifier, if it was
>>> transformed by unidirectional hash function?
>>>
>>> I think that this ID could be passed via cnonce, since it really matches
>>> the original semantics of this argument.
> 
> "
> When the realm is
> "xmpp", the profile defined herein further specifies that prior to
> creating the MD5 checksum the username MUST be a valid JID as described
> above, that the password MUST be a transaction identifier as described
> above
> 
> That seems wrong, since there is no "password" entity in digest auth.
> Passing the transaction ID via the cnonce seems to be better.

This unfortunately makes the transaction ID "visible" to others watching
our connection. If it was invisible (like before, in the not-so-working
version), confirm this transaction ID via XMPP once, and then trust it
for some time. If it becomes visible, you need to choose different
transaction ID for every request (just like in Basic method).

Having just one XMPP confirmation for multiple request could be a big
advantage: just imagine opening a website with many images, etc, and
every of the requiring its own confirmation via XMPP. Even if this is
automated (user does not confirm manually), I'm afraid it may become
slow (I think it's faster to check user's password in a file or in a
database, as it is done now, than to exchange stanzas). And if it is
done by hand, users will just hate it. And they won't even try to check
if transaction IDs match or not - they will just press "yes", getting
more and more annoyed every time they click.

So - as I suggested in another message in this thread - how about adding
alternative method of confirming via XMPP, which would ask user to
provide the same transaction ID as in HTTP request?


- --
Maciek                       A: It's against natural order of reading.
 xmpp:machekku at uaznia.net   Q: Why is that?
 xmpp:machekku at chrome.pl   A: People answering above quoted text.
                          Q: What's the most annoying on newsgroups?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEfITQ7knNPWzAbeURAmNnAKCoDcyHVb/2XxpzXTslpfACHfVqVwCfaXKN
eb7XwehIIcjPIVpR+BwtmYA=
=dRPW
-----END PGP SIGNATURE-----



More information about the Standards mailing list