[Standards] Proposed XMPP Extension: Token-based reconnection

Florian Schmaus flo at geekplace.eu
Fri Feb 12 11:36:33 UTC 2016


On 12.02.2016 11:34, Michal Piotrowski wrote:
> Hi Florian,
> 
> Your extension looks very convenient. As I understand the token can be
> used only once and only in context of stream resumption. What if the
> stream resumption fails? Should the client authenticate by regular
> SASL method like SCRAM-SHA-1 or would it be possible to use the token
> to authenticate (without resuming the session)?

I like to limit the validity of the token as much as possible. It's also
not really required to use the QSR token for this: Simply use XEP-0305
to establish a new session (including the SASL step).

Of course using the QSR token to authenticate a new session would allow
for omitting the extra SASL round trips. But I don't think it would be a
good trade off from a security perspective. And the SASL overhead can be
further reduced, to what SASL with QSR token would be, by using
something like OAUTH as SASL mechanism.

But I can't prevent you from implementing or specifying a SASL mechanism
which uses the QSR token. I wouldn't want to put this in XEP-QSR though.

- Florian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20160212/aea34e67/attachment.sig>


More information about the Standards mailing list