anders conbere wrote: > On Dec 19, 2007 10:44 AM, Alex Jones <[EMAIL PROTECTED]> wrote: >> Hi list >> >> A few months ago, I became concerned with XEP-70: Verifying HTTP >> Requests via XMPP[1]. As far as I can tell, deployment of this XEP >> would potentially allow for malicious abuse. >> >> The protocol seems to be a little backward, in that I can provide a >> relying party with any arbitrary JID (in the HTTP request), and then >> they will send a message to that JID. This is a bad idea, and it >> allows me to initiate spam against anyone I know the JID of. >> >> What's going on with XEP-101: HTTP Authentication Using Jabber >> Tickets[2]? It's "Deferred", yet it seems to, more or less, do the >> same thing in a better fashion. >> >> I'd like to point out that deployment of something of this type could >> potentially be a much better solution to the problem of decentralised >> authentication than OpenID, which lately seems to be a little misguided. >> >> I envisage going to a website, clicking "Authenticate via XMPP", >> having my browser and my XMPP client do some IPC magic and prompt me >> to choose an identity (i.e. a JID) for which to authenticate as, and >> then be authenticated with the website. > > These methods appear to me to be just as misguided. I don't consider > it particularly likely that any significant portion of the installed > browser base will include support for xmpp authentication. I think a > better solution would be to look at how jabber servers can begin to > integrate a basic http endpoint for digesting http requests. At least > in the foreseeable future in order to do authentication over the web > we need to think of ways to work over http.
I agree. How do we make that happen? Is that mostly a matter of working on xmpp server implementations, or is there any protocol work for us to do here? Anders, I know you've thought about this a lot so your feedback would be welcome. And feel free to point to things that you've already posted but that I missed the first time around. :) Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
