[Standards] Proposed XMPP Extension: Authorization Tokens

Dave Cridland dave at cridland.net
Thu Sep 12 08:41:41 UTC 2019

On Wed, 11 Sep 2019 at 16:33, Jonas Schäfer <jonas at wielicki.name> wrote:

> Title: Authorization Tokens
> URL: https://xmpp.org/extensions/inbox/auth-tokens.html

Long time participants, including Florian Schmaus (who suffered from this
for ages) will probably guess what I'll say to this.

There is nothing particularly wrong about this. Some of it (the token
management stuff) does belong in a XEP, though we have ways of doing this
already (XEP-0399, and to some extent, XEP-0397), that I think are
sufficiently close as to not really need anything radically different.

The token mechanism itself, being a SASL mechanism, is however entirely out
of scope for the XSF to standardize - that would need to go through the
IETF. In this instance, it's a straightforward copy of PLAIN - whether it
needs a different mechanism at all is an interesting question and one I do
not have the capability to answer, but the Kitten group at the IETF might
well have opinions.

But equally, both Florian's existing HT-* and my CLIENT-KEY mechanism have
both entered the void of the IETF's Kitten working group and sunk without
trace, but they both have some useful security properties beyond PLAIN, so
might be worth looking into.

This XEP will come up for a vote next week, and I will turn it down.

But I'm entirely sold on the need for "something like this", and would be
very grateful if you look at '399 and '397, as well as CLIENT-KEY and HT-*
over at the IETF, and if you'd like to take over '399 I'd appreciate it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20190912/0f2940d5/attachment.html>

More information about the Standards mailing list