[Standards] XEP-0070: SPOF, DoS, and privacy concerns

Maxime Buquet pep at bouah.net
Tue Oct 1 18:21:43 UTC 2019


On 2019/09/30, Maxime Buquet wrote:
> Hi Standards,
> 
> 
> I've had this in my backlog for quite some time, and while I am not
> planning to work on this right away, I thought it might be good to share
> it anyway. I have looked through the list quickly and I haven't found
> much about what I'm going to describe.
> 
> As much as I would like to, I also don't think 0070 is being used much
> in the wild. I also haven't implemented anything using it yet.
> 
> 
> 1. The way the XEP is written (as of 1.0.1), it means that web services
> using 0070 have to use one (or multiple) static endpoint that act as
> "Single" Point Of Failure.
> 
> 2. While having a SPOF might be fine in some cases, that single endpoint
> also now acts as the identity provider for the whole XMPP network as
> seen from the web service, allowing it to:
>   2.1 refuse even legit users on (other) servers,
>   2.2 being able to see the activity of anybody authenticating against
>   the web service, (that is, only when authenticating).

Obviously it's only after sending the email that I realized that the XEP
might have been intended for web services to run their own HTTP/XMPP
component, in which case all of this is moot because they already have
the data.

There are XMPP services providing these endpoints though already, (such
as JabberFR iirc), and I believe it's probably best for adoption if the
effort comes from the XMPP side anyway.

-- 
Maxime “pep” Buquet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20191001/ebb29996/attachment.sig>


More information about the Standards mailing list