[Standards] Proposed XMPP Extension: Token-based reconnection
flo at geekplace.eu
Fri Feb 12 11:36:33 UTC 2016
On 12.02.2016 11:34, Michal Piotrowski wrote:
> Hi Florian,
> Your extension looks very convenient. As I understand the token can be
> used only once and only in context of stream resumption. What if the
> stream resumption fails? Should the client authenticate by regular
> SASL method like SCRAM-SHA-1 or would it be possible to use the token
> to authenticate (without resuming the session)?
I like to limit the validity of the token as much as possible. It's also
not really required to use the QSR token for this: Simply use XEP-0305
to establish a new session (including the SASL step).
Of course using the QSR token to authenticate a new session would allow
for omitting the extra SASL round trips. But I don't think it would be a
good trade off from a security perspective. And the SASL overhead can be
further reduced, to what SASL with QSR token would be, by using
something like OAUTH as SASL mechanism.
But I can't prevent you from implementing or specifying a SASL mechanism
which uses the QSR token. I wouldn't want to put this in XEP-QSR though.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 603 bytes
Desc: OpenPGP digital signature
More information about the Standards