On Fri, Apr 4, 2008 at 4:47 PM, Fabio Forno <[EMAIL PROTECTED]> wrote: > On Fri, Apr 4, 2008 at 10:06 AM, Norman Rasmussen > <[EMAIL PROTECTED]> wrote: > > > I like this, what about some sort of GPG/PUB-KEY based authentication > > with the gateway? Also you'd want the "registration" to be temporary > > only, and it should fall away once the client disconnects (after all > > it's never going to be seen again). Would just a GPG signed presence > > be good enough to authenticate and log in to the gateway? > > GPG presence is good only if each presence packet has an unique token > that changes each time, otherwise the gateway will be always > authorized. For this purpose, one time login, a sequence of > cryptographically computed authentication tokens should be the best > solution. When you register with the gateway you pass you jid and the > one-time auth token, then the gateway uses it for connecting with the > server and, after the session is gone, the token is useless.
sorry, you mis-read that.. I was talking about the mobile-client to gateway connection, and not the gateway to master server connection. (There's no reason to traditionally register with the gateway because it's a once-off session that could be started with a signed presense) as to how each gateway will talk back to the master server, that's a difference issue. I was thinking you could pre-register the GPG key in the gateway (to jid/pwd/etc) so that knew which external server to connect to. -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/
