On Sat, 23 Aug 2008 16:23:28 +0200 Dirk Meyer <[EMAIL PROTECTED]> wrote:
> Pedro Melo wrote: > > Hi, > > > > On Aug 23, 2008, at 2:12 PM, Dirk Meyer wrote: > >> IMHO OAuth is kind of stupid. I have to trust a server I do not > >> know. No, the point is that I can upload a certificate to my XMPP > >> server and the owner of that certificate (a bot, a client I do not > >> trust) can log in using SASL-EXTERNAL as me without having the > >> password. > > > > OAuth is not stupid. The server you do not trust is your own XMPP > > server. If you don't trust that, well, what are you doing connected > > to him? > > Oops, sorry, I messed up OAuth and OpenID. My fault, ignore me. > Neither OpenID seems stupid to me. "Stupid" is a word that only means you didn't bother to find more information. When one knows what's going on, he might use "insuitable for oure purpose because...". > > I can ask my XMPP server for a opaque token that I provide to my bot > > and he can use that to authenticate. > > > > Having said that, I also like your "upload-certificate" idea. > > Combine OAuth with SASL for server login .... nice one. Use your XMPP > connection to generate a token and give that to the new not-so-trusted > client and it can log in with it. The client gives away its > certificate for future logins. Isn't OAuth HTTP? Does it bring anything useful enough for XMPP instead of a need to use HTTP besides? Correct me if I'm wrong. > >>> Yes, what do we need from the server? In a perfect world I would > >>> hope not to have to go through the server apart from the Jingle > >>> negotiation? Ok, and IBB-Jingle fallback. > >> > >> In that case we need a SOCKS5 proxy or a TURN server. I prefer the > >> TURN server but we lack ice-tcp support to use it. > > > > If you can negotiate a direct TCP (or TCP-like with order > > guarantees) via ICE, much better. > > Direct should be possible if only one is behind a NAT or a > firewall. If both are you need the help of a TURN server. Well, there > is STUNT (STUN over TCP) but IMHO this is a bad hack and it won't work > with all router. You could also add UPnP IGD to open a port on your > router, or the similar method apple used (I can not remember the name > right now, it is an IETF draft) or you can put a TURN server on your > router. Erm, there are many possibilities to start a session between two clients behind a NAT. Why do we have Jingle-ICE if not for sending data over NATs? UPNP is a good choice when users have access to router administration (home use). > >> I also need the server to help me find a TURN server I can use if I > >> need one. > > > > Isn't this a problem to be solved by the Jingle specs? > > Yes. On the list we only need to know that there is way to open a > stream between clients. How we do that should be discussed on the > jingle list. True enough. > > Dirk > -- Web: http://www.pavlix.net/ Jabber & Mail: pavlix(at)pavlix.net OpenID: pavlix.net
