[Standards] Proposed XMPP Extension: Token-based reconnection
me at thijsalkema.de
Fri Feb 5 19:01:10 UTC 2016
> On 5 feb. 2016, at 17:15, XMPP Extensions Editor <editor at xmpp.org> wrote:
> The XMPP Extensions Editor has received a proposal for a new XEP.
> Title: Token-based reconnection
> Abstract: This specification defines a token-based session authentication mechanism similar to OAuth.
> URL: http://xmpp.org/extensions/inbox/token-reconnection.html
> The XMPP Council will decide in the next two weeks whether to accept this proposal as an official XEP.
As it is currently written this looks like a rather bad idea to me, or at
least needs a much longer Security Considerations section than it currently
SCRAM offers protection from replay-attacks, mutual authentication and
optionally channel binding. Not only does this specification give up on all of
those, but it also makes it trivial for an active attacker to cause a
reconnection where SCRAM will be downgraded to this. One of suggestion to fix
is by requiring the client to verify that the server's certificate is
* It's named "X-OAUTH". How does it compare to RFC 7628?
* It should probably have a disco feature so the client can determine whether
it can retrieve a token.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Standards