Thank you both for your replies. I will look into SASL EXTERNAL as I had not looked at it close enough previously. I will review XEP-0178 and the EXTERNALS mechanism specification (specifically the RFC 5290 noted in XEP-0178) itself. I also noticed XEP-0257 which is a related, but deferred, XEP. Is this something I could potentially use or is it pointless since I can just require the user to provide a certificate for TLS and use that?
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Justin Karneges Sent: Friday, June 22, 2012 1:00 PM To: XMPP Standards Subject: Re: [Standards] Security and Servless Messaging On Friday, June 22, 2012 09:48:18 AM Todd Herman wrote: > We are currently looking into implementing serverless messaging. The > specification (and the XMPP: The Definitive Guide) both mention that > serverless messaging does not use SASL or TLS by default so it isn't > secure. Has anyone looked into an appropriate way to implement this > functionality? I get TLS but I am a little confused by SASL since it > would require having user names and passwords stored which seems to > almost contradict the point of serverless messaging. > > Any thoughts? If both the client and server authenticate via TLS, then the SASL EXTERNAL mechanism can be used. Justin
