On Tue, Jan 08, 2008 at 01:14:41PM -0700, Peter Saint-Andre wrote: > Dave Cridland wrote: > > >XEP-0070 doesn't introduce a new mechanism, in the protocol sense, it > >introduces a hack to get Basic to be used for identity assertion. > >(Actually, ownership of a jid). > > I was just chatting about this with Maciek Niedzielski and he suggested > a different kind of workflow for XEP-0070-like functionality: > > 1. User visits www.example.com > > 2. The website advertises a link to an XMPP-based authorization service, > such as: > > xmpp:[EMAIL PROTECTED];body=[some-unique-id-here] > > (The message could also include some kind of data form or hidden content > that can't be modified by the user.) > > 3. User clicks the link and launchs their Jabber client > > 4. Jabber client sends an XMPP message to the auth service: > > <message from='[EMAIL PROTECTED]' to='[EMAIL PROTECTED]'> > <body>[some-unique-id-here]</body> > </message> > > 5. The website refreshes with some verification > > Now the user is authorized at www.example.com (or a particular page there). > > This removes the worry about someone else typing in your JID and > spamming you with XMPP messages, because you initiate the exchange (not > the website). > > Thoughts?
At the first moment it looks very nice to me. The spam problem is solved and I like the initiation by the user. But some problems are still there. 1. If you want to use the authorization service, you have to use a client that support that protocoll. 2. I think the web based XMPP clients like meebo [1] have big problems to implement such a protocol. (This should look more a configuration problem of the browser) 3. If you want to sign in on a website at an internet cafe or somewhere else it's also a problem if it's not configured. 4. It's not secure that the user "can't modify" information which the user get from a website and send to a xmpp server, it's an illusion. At all I think the spam problem by another user is not as big as the problems you get when you can't use the authorization service. And at my opinion when you implement the existing XEP 70 you can help the user to get not such a big problem, by: a) for XMPP browser plugins: automated server responses don't disturb the user b) other clients: caching decisions and delimit user requests at a session can help. c) for servers: saving denys in combination with the request ip can help to locate spammer and exclude them Günther [1] http://www.meebo.com
