On Wed, Oct 20, 2010 at 1:11 AM, Dave Cridland <d...@cridland.net> wrote: > On Wed Oct 20 01:47:58 2010, Alex Milowski wrote: >> >> On Sun, Oct 17, 2010 at 5:32 AM, Kurt Zeilenga <kurt.zeile...@isode.com> >> wrote: >> >> > User provides hash: >> > >> > <presence >> > from='ha...@shakespeare.lit/pda' >> > to='darkc...@chat.shakespeare.lit/thirdwitch'> >> > <x xmlns='http://jabber.org/protocol/muc'> >> > <hash algorithm="sha2">hash</hash> >> > </x> >> > </presence> >> > >> > where hash was the base64 encoded sha2 hash over the concat of >> > subscribers' normalized bare jid, " ", the room's normalized bare jid, " ", >> > and the shared password. >> >> >> Yes, this is something like what I'm after. I'm not really looking to >> have individual identities authenticate. Instead, I'm looking for a >> more secure way to send the shared credentials for the room. >> >> > At the risk of somewhat contradicting my colleague... > > That's equally (in)secure, since the hash is a plaintext equivalent. That's > protecting you from a different user joining, but someone able to spoof the > user can just blindly resend the hash. If you sign stanzas, on the other > hand, the hash is pointless.
I think I'm not being clear in what I'm after. I just want a MUC room authentication mechanism that uses challenges. If I were to modify the original suggestion: 1. Client joins room <presence from='ha...@shakespeare.lit/pda' to='darkc...@chat.shakespeare.lit/thirdwitch'> <x xmlns='http://jabber.org/protocol/muc'/> </presence> 2. Room returns <not-authorized/> error with supported SASL mechanisms <presence from='darkc...@chat.shakespeare.lit' to='ha...@shakespeare.lit/pda' type='error'> <x xmlns='http://jabber.org/protocol/muc'/> <error type='auth'> <not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>SCRAM-SHA-1-PLUS</mechanism> <mechanism>SCRAM-SHA-1</mechanism> <mechanism>PLAIN</mechanism> </mechanisms> </error> </presence> 3. Client selects an authentication mechanism: <presence from='ha...@shakespeare.lit/pda' to='darkc...@chat.shakespeare.lit/thirdwitch'> <x xmlns='http://jabber.org/protocol/muc'> <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="SCRAM-SHA-1"> biwsbj1qdWxpZXQscj1vTXNUQUF3QUFBQU1BQUFBTlAwVEFBQUFBQUJQVTBBQQ== </auth> </presence> 4. Room returns <not-authorized/> error with challenge: <presence from='darkc...@chat.shakespeare.lit' to='ha...@shakespeare.lit/pda' type='error'> <x xmlns='http://jabber.org/protocol/muc'/> <error type='auth'> <not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">...</challenge> </error> </presence> 5. The user joins with an appropriate response: <presence from='ha...@shakespeare.lit/pda' to='darkc...@chat.shakespeare.lit/thirdwitch'> <x xmlns='http://jabber.org/protocol/muc'> <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">...</response> </x> </presence> -- --Alex Milowski "The excellence of grammar as a guide is proportional to the paucity of the inflexions, i.e. to the degree of analysis effected by the language considered." Bertrand Russell in a footnote of Principles of Mathematics _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
