Greetings, I'm working to extend XMPP to be suited for my project. My project has the need to not store rosters on behalf of users. I'm already using asymmetric encryption and I though that I might be able to "verify" a presence subscription request by looking at public key signatures. For example:
* Alice requests presence subscription to Bob * Bob receives the subscription request along with Alice's public key * if Bob accepts, he signs Alice's public key using his private key * Bob will reply to the subscription request including signed Alice's public key * Alice is now authorized to see Bob's presence - server just need to check for the right signature on the public key This has some advantages: * Server doesn't need to store roster lists for each users. Storing public keys will be enough * Using a WoT system (such as OpenPGP), we can encourage people to use it * This system can be used for handling permissions to send messages and generally obtain information about a user - server will check the signatures to see if a user is allowed to see someone else info or send a message Please note that my project has no roster list management, but I think that this method can be applied also to output a roster list generated on-the-fly by looking at public key signatures. Is this an insane approach? What do you think? Regards, -- Daniele
