On Tue, Jan 08, 2008 at 11:20:06AM +0000, Dave Cridland wrote: > On Tue Jan 8 00:35:43 2008, Guenther Niess wrote: > >I'm a student and within a project at the university I want to > >implement the XEP-0070 [1] as a SASL mechanism [2]. So other > >protocols for example imap or pop3 can easily use the authentication > >scheme. > > > > > I'm not sure I follow the idea behind this. > > The point of SASL is that different protocols, including all those > mentioned above, can use the same SASL mechanisms, so XMPP already > can (and does, in some implementations) share the same authentication > infrastructure with POP3 and IMAP services (as well as with SUBMIT).
SASL is an authentification framework and it's protocol independend to my knowledge. I'm not sure if you understand me correct. I don't want to authenticate my XMPP session with another XMPP session. I want to generalize the scheme behind XEP-0070 (see Section 4.5 and 4.6 of XEP 70) for using with a libary and other protocols like POP3 and IMAP. And sorry, I don't know SUBMIT. > The point of XEP-0070 is for websites which wish to authenticate that > a particular user owns a particular JID - in this respect it's > similar to OpenID. But it also notifies the user that the service is > being used, which is also potentially useful. The moment you start > introducing SASL, you're well away from this goal, since HTTP doesn't > - after much effort - do SASL. I'm in the moment not very familiar with the use of SASL by HTTP but I'm thinking with the apache modules [4] and [5] a first step for the connection between them is done. But now I'm working on this. > Offering email services to anyone with a valid JID seems a little odd > to me, so maybe you could expand on your use-cases a bit more. My vision is you have the possibility for a single sign on to jabber and that's it. You don't have to know all the different usernames and passwords for the various providers and protocols. For a more practical use case, for example you use Thunderbird as your favourite mailclient, you can use the XMPP authentification automatically with a Thunderbird plugin similar with a XMPP plugin for Firefox browser. And when you are at the airport and want to check your mail via webmail you can simple do it also without any password. > >So I think a good solution for http authentication is the XEP-70 > >when it is clear that all users that are online can confirm the > >request > >and for others they are redirected to the XMPP server and can > >authenticate themself via user credentials. > > That would mean tunelling SASL through HTTP. I'd be intrigued to see > what you come up with, as it'd be directly applicable to simply doing > SASL within HTTP. I don't want that. The idea of the connection to a HTTP Server is only for the implementation for the HTTP protocol. When you want to authenticate yourself against your mailserver it would be very difficult to link against the xmpp server. I'm not an expert on this subject, but I want to learn, so feel free to correct me. [4] http://mod-authn-sasl.sourceforge.net/ [5] http://www.py-soft.co.uk/~benjamin/download/mod_auth_sasl/
