[Standards] Proposed XMPP Extension: Token-based reconnection

Thijs Alkemade me at thijsalkema.de
Fri Feb 5 19:01:10 UTC 2016


> On 5 feb. 2016, at 17:15, XMPP Extensions Editor <editor at xmpp.org> wrote:
> 
> The XMPP Extensions Editor has received a proposal for a new XEP.
> 
> Title: Token-based reconnection
> 
> Abstract: This specification defines a token-based session authentication mechanism similar to OAuth.
> 
> URL: http://xmpp.org/extensions/inbox/token-reconnection.html
> 
> The XMPP Council will decide in the next two weeks whether to accept this proposal as an official XEP.

As it is currently written this looks like a rather bad idea to me, or at
least needs a much longer Security Considerations section than it currently
has.

SCRAM offers protection from replay-attacks, mutual authentication and
optionally channel binding. Not only does this specification give up on all of
those, but it also makes it trivial for an active attacker to cause a
reconnection where SCRAM will be downgraded to this. One of suggestion to fix
is by requiring the client to verify that the server's certificate is
unchanged.

Other comments:

* It's named "X-OAUTH". How does it compare to RFC 7628?

* It should probably have a disco feature so the client can determine whether
  it can retrieve a token.

Regards,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/standards/attachments/20160205/4824b247/attachment.sig>


More information about the Standards mailing list