On 20 Dec 2007, at 23:16, anders conbere wrote:
On Dec 20, 2007 2:29 PM, Peter Saint-Andre <[EMAIL PROTECTED]> wrote:
anders conbere wrote:
On Dec 20, 2007 12:28 PM, Alex Jones <[EMAIL PROTECTED]> wrote:
On 20 Dec 2007, at 20:18, anders conbere wrote:
In what I'm describing you wouldn't. The work flow is like this.
1) Site requests Authentication,
2) you enter your JID
3) site sends an http request to the jabber server requesting
confirmation of user identity
4) Jabber server requests user credentials
This is the broken part, the part that can be maliciously abused.
How could that be abused? You're entering credentials at the jabber
server that you've already signed up for an account at. It could
possibly be phished, but there are methodologies around that as
well.
I think what Alex is worried about is this flow:
1. Site requests authentication
2. I enter your JID
3. Site sends an HTTP request to your Jabber server requesting
confirmation of user identity
4. Jabber server requests user credentials
Ah I think there's some confusion here. When I say "jabber server
requests user credentials" I really mean that it expects an http post
with jid and password in it. In particular I would expect the html
form and http server to both be a component of the jabber server, so
the communication of the post happens between the jabber server and
itself.
But I'm already logged on with my main XMPP client (I already
authenticated). I don't see why I should have to do it again just for
the sake of keeping everything inside a browser window. I value the re-
use of the existing infrastructure more -- and it doesn't even seem to
me that there is a compromise to be made. Besides, such a generic
mechanism could be used *outside* of a browser, e.g. asserting an
identity to a third party service like iTunes. Again, this seems to be
one of the oversights of OpenID -- it makes things difficult when you
want to forget about HTML viewers.
Your method requires that an authenticating party be using a server
that supports this mechanism. I see this as having a bigger question
mark than that which I explained about using a token. I can't imagine
a way for a user to manually achieve authentication this way, like one
could do by copying and pasting 2 numbers.
Sorry if this is incoherent, it's late :)
