[Standards] Server acting on behalf of another

Alexander Holler holler at ahsoftware.de
Fri Sep 9 21:08:41 UTC 2011


Am 09.09.2011 21:08, schrieb Justin Karneges:
> I wonder how practical it would be to allow a third-party to send a stanza
> using a "from" domain that is already controlled by an existing server.
>
> I imagine a flow going something like this:
>
>    S1 = official server (owner of domain)
>    T1 = third party server (the one sending the stanza)
>    S2 = target server (the one receiving the stanza)
>
>    1) T1 handshakes with S2, claiming to be S1 and providing dialback key.
>    2) S2 dialbacks to S1, presenting dialback key for verification.
>    3) S1 replies with success, vouching for the key provided by T1.
>    4) T1 sends stanza to S2 using JID with domain @S1.
>
> The challenge with allowing a third-party to do this is the need for both S1
> and T1 to understand the same dialback key scheme, which may involve sharing
> data or sharing a secret key and algorithm.  Has anyone considered a standard
> approach for this?
>
> One situation I could see this being useful is if you wanted to delegate the
> task of sending a lot of pubsub notification events to a third party server.
> However, there is still one problem with this offloading idea which is that all
> the dialback requests would still blast S1 to hell.

You can't allow another server to behave like one from a foreign domain 
he can't offer an authorization for. And standardizing how servers are 
clustered doesn't make sense because that is highly dependant on the 
configuration and internal work flows (e.g. how data is shared between 
servers).

Regards,

Alexander



More information about the Standards mailing list