[Standards] Easy XMPP

Georg Lukas georg at op-co.de
Wed Jun 15 10:21:33 UTC 2016


Thanks very much for the feedback, everyone! I'll try to address the
points in a single mail.

1. "Silo creation": the goal is to make the Easy* proposals backwards
compatible, so that interop with legacy clients is well-defined. The
specifications are all open, so everybody can implement them in their
clients and servers. I'm painfully aware that XMPP developers often lack
the time or are underfunded, but maybe a nice "Easy XMPP" conformity
badge can motivate some folks...

2. Use of phone numbers: unfortunately this is an unsolved problem yet.
Hashing of phone numbers offers little protection, and bloom filters
apparently don't scale. There is no solution yet to run a secure central
"phone book" for automatic lookups, an opt-in solution probably won't be
used much (cf. buddycloud-friend-finder) and decentralized /
one-server-only solutions break global discoverability while reinforcing
silofication. Besides, if the lookup server does not verify every single
element a user publishes, it opens the door to impersonation attacks.

Personally, I'd like to see how far we can improve the UX without
relying on phone numbers or central lookup servers.

3. Adding more devices to the account: this one really needs more work.
Modern cloud services offer "remember me on this device",
device-specific passwords, multi-factor authentication, etc.; then there
are also client certificates (which have a horrible UX on the web and
are not used by anybody). It looks like we first need to extend the
authentication mechanisms to get away from simple JID+password. Then we
have to figure out secure ways to "clone" a user account from one device
to another.


So far, I have implemented the following Easy XMPP ideas in yaxim
(not yet on Google Play):

 - Easy account creation @yax.im with auto-generated passwords
 - XEP-PARS: creation and full handling of links with preauth element
 - NFC / NDEF sharing of own JID (with PARS) and contacts/MUCs
 - Creation of invitation links to HTTP landing page, e.g
   <https://yax.im/i/georg@yax.im> (PARS token removed)

There is a <2min example video: https://op-co.de/tmp/easy-qr.mp4

Matching yaxim APK: https://yaxim.org/archive/builds/yaxim-gl-2016-06-15_muc.apk

Kind regards,

Georg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20160615/43824062/attachment.sig>


More information about the Standards mailing list