[Standards] XMPP OAuth2 login at Google

Peter Saint-Andre stpeter at stpeter.im
Tue Sep 18 17:21:48 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/18/12 11:16 AM, Hannes Tschofenig wrote:
> Here is my impression: Since the community OAuth specification
> allowed the usage of PLAIN without TLS there is most likely still a
> lot of code out there that uses it without any confidentiality
> protection (which is obviously very insecure).

Indeed.

> (Btw, the current XMPP OAuth XEP is also insecure...)

Calling it "current" is a bit of a stretch. :) It was deferred for
inactivity quite some time ago. At this point, any use of OAuth in
XMPP would likely be based on the SASL mechanism.

Peter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBYrasACgkQNL8k5A2w/vxqmwCfenP8/lcI0pKVVAqHa3Z+cX1v
5bkAoIj0KXeytxcdYegXPGHKW5IdmAdp
=V/NG
-----END PGP SIGNATURE-----



More information about the Standards mailing list