> On 5 feb. 2016, at 17:15, XMPP Extensions Editor <[email protected]> wrote: > > The XMPP Extensions Editor has received a proposal for a new XEP. > > Title: Token-based reconnection > > Abstract: This specification defines a token-based session authentication > mechanism similar to OAuth. > > URL: http://xmpp.org/extensions/inbox/token-reconnection.html > > The XMPP Council will decide in the next two weeks whether to accept this > proposal as an official XEP.
As it is currently written this looks like a rather bad idea to me, or at least needs a much longer Security Considerations section than it currently has. SCRAM offers protection from replay-attacks, mutual authentication and optionally channel binding. Not only does this specification give up on all of those, but it also makes it trivial for an active attacker to cause a reconnection where SCRAM will be downgraded to this. One of suggestion to fix is by requiring the client to verify that the server's certificate is unchanged. Other comments: * It's named "X-OAUTH". How does it compare to RFC 7628? * It should probably have a disco feature so the client can determine whether it can retrieve a token. Regards, Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Standards mailing list Info: http://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
