[Standards] XEP 0124 Section 9

Ian Paterson ian.paterson at clientside.co.uk
Thu Feb 15 19:22:21 UTC 2007


Steve Shaffer wrote:
> Perhaps a system could be worked out that validates the integrity of 
> the connection manager(CM)

Well, if your client uses HTTPS (SSL/TLS) then it is validating the 
identity of the CM (via its SSL certificate). And the server knows that 
the client seems to trust the CM (otherwise how did the CM authenticate 
on behalf of the client). Is that enough?

> If the integrity of the connection manager can be assessed then 
> relying on TLS  between the  server and the CM and  Https (TLS) 
> between the CM and the client is a better option than burdening the 
> browser javascript or java.

I guess it is good enough for this version of XEP-0124. We'll look at 
this again in the future.

> There is a place for a remote external CM even when all servers have 
> HTTP connection managers.  In particular where messaging is a part of 
> a larger suite of web services.

Yes. Although XEP-0124's new Alternative Script Syntax reduces the need 
significantly, since it allows clients to connect cross-domain. Here's 
the working copy:
http://www.clientside.co.uk/xeps/xep-0124/xep-0124.html#script

- Ian




More information about the Standards mailing list