[Standards] XEP-0070: SPOF, DoS, and privacy concerns

Maxime Buquet pep at bouah.net
Mon Sep 30 21:42:56 UTC 2019

Hi Standards,

I've had this in my backlog for quite some time, and while I am not
planning to work on this right away, I thought it might be good to share
it anyway. I have looked through the list quickly and I haven't found
much about what I'm going to describe.

As much as I would like to, I also don't think 0070 is being used much
in the wild. I also haven't implemented anything using it yet.

1. The way the XEP is written (as of 1.0.1), it means that web services
using 0070 have to use one (or multiple) static endpoint that act as
"Single" Point Of Failure.

2. While having a SPOF might be fine in some cases, that single endpoint
also now acts as the identity provider for the whole XMPP network as
seen from the web service, allowing it to:
  2.1 refuse even legit users on (other) servers,
  2.2 being able to see the activity of anybody authenticating against
  the web service, (that is, only when authenticating).

All of these issues seem to go away with the use of 0156, introducing a
new well-know entry. This has the effect though that it increases the
deployment hurdle, (which is already almost non-existent).

Thus a web service using 0070 as authentication method might want to
poke 0156 on the user-provided JID, and keep using a static endpoint as
a fallback.

Happy Hacking!

Maxime “pep” Buquet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20190930/fd5dacbb/attachment.sig>

More information about the Standards mailing list