Dave Cridland wrote:
XEP-0070 doesn't introduce a new mechanism, in the protocol sense, it introduces a hack to get Basic to be used for identity assertion. (Actually, ownership of a jid).
I was just chatting about this with Maciek Niedzielski and he suggested a different kind of workflow for XEP-0070-like functionality:
1. User visits www.example.com2. The website advertises a link to an XMPP-based authorization service, such as:
xmpp:[EMAIL PROTECTED];body=[some-unique-id-here](The message could also include some kind of data form or hidden content that can't be modified by the user.)
3. User clicks the link and launchs their Jabber client 4. Jabber client sends an XMPP message to the auth service: <message from='[EMAIL PROTECTED]' to='[EMAIL PROTECTED]'> <body>[some-unique-id-here]</body> </message> 5. The website refreshes with some verification Now the user is authorized at www.example.com (or a particular page there).This removes the worry about someone else typing in your JID and spamming you with XMPP messages, because you initiate the exchange (not the website).
Thoughts? Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
