[Standards] XEP-0070: SPOF, DoS, and privacy concerns
pep at bouah.net
Tue Oct 1 18:21:43 UTC 2019
On 2019/09/30, Maxime Buquet wrote:
> Hi Standards,
> I've had this in my backlog for quite some time, and while I am not
> planning to work on this right away, I thought it might be good to share
> it anyway. I have looked through the list quickly and I haven't found
> much about what I'm going to describe.
> As much as I would like to, I also don't think 0070 is being used much
> in the wild. I also haven't implemented anything using it yet.
> 1. The way the XEP is written (as of 1.0.1), it means that web services
> using 0070 have to use one (or multiple) static endpoint that act as
> "Single" Point Of Failure.
> 2. While having a SPOF might be fine in some cases, that single endpoint
> also now acts as the identity provider for the whole XMPP network as
> seen from the web service, allowing it to:
> 2.1 refuse even legit users on (other) servers,
> 2.2 being able to see the activity of anybody authenticating against
> the web service, (that is, only when authenticating).
Obviously it's only after sending the email that I realized that the XEP
might have been intended for web services to run their own HTTP/XMPP
component, in which case all of this is moot because they already have
There are XMPP services providing these endpoints though already, (such
as JabberFR iirc), and I believe it's probably best for adoption if the
effort comes from the XMPP side anyway.
Maxime “pep” Buquet
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the Standards