[Standards] XMPP OAuth2 login at Google

Peter Saint-Andre stpeter at stpeter.im
Mon Sep 24 14:44:11 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/18/12 12:19 PM, Hannes Tschofenig wrote:
> On 09/18/2012 08:51 PM, Peter Saint-Andre wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 9/18/12 11:25 AM, Hannes Tschofenig wrote:
>>> On 09/18/2012 08:21 PM, Peter Saint-Andre wrote:
>>>>> (Btw, the current XMPP OAuth XEP is also insecure...)
>>>> Calling it "current" is a bit of a stretch.:)  It was
>>>> deferred for inactivity quite some time ago. At this point,
>>>> any use of OAuth in XMPP would likely be based on the SASL
>>>> mechanism.
>>> 
>>> I didn't know.
>> 
>> Well, Hannes, you can't know everything. ;-)
> 
> hmmm.

Given how many efforts you're involved in, you know most things, just
not everything. ;-)

>>> I even thought that it covered an entirely different use case, 
>>> namely between two endpoints rather than between the end host
>>> and the XMPP server (whatever the right XMPP terminology here
>>> is).
>> 
>> True, but it seems that few people are interested in those use
>> cases (e.g., using OAuth for authorization to join a chatroom).
> I had gotten the impression that XEP 235 
> http://xmpp.org/extensions/xep-0235.html was motivated by the
> Yahoo FireEagle work.
> 
> My understanding that the usage was really end-to-end rather from
> the end host to the first hop. From a security point of view that
> makes a huge difference. So, XEP 235 wasn't really secure usage of
> OAuth in XMPP to begin with and that may have motivated them to
> change it.
> 
> I am saying this because I went through the same design exercise
> with the SAML SIP work. There, however, we ran into lots of
> problems with the way how SBCs prevent any useful security
> mechanism to work.

Well, we don't have those SBCs in the XMPP world, but there are
intermediate entities (servers) in the path. And you're right that it
wasn't really secure anyway, which is one reason we abandoned the
effort (that, and lack of interest).

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBgcbsACgkQNL8k5A2w/vzSgwCeKUhTaf5uCDPOQl7PXm/HU5SO
RdUAniaUUtTufrsYhjjlpAbo5IR7+lP4
=ju9y
-----END PGP SIGNATURE-----



More information about the Standards mailing list