On 12.02.2016 11:34, Michal Piotrowski wrote: > Hi Florian, > > Your extension looks very convenient. As I understand the token can be > used only once and only in context of stream resumption. What if the > stream resumption fails? Should the client authenticate by regular > SASL method like SCRAM-SHA-1 or would it be possible to use the token > to authenticate (without resuming the session)?
I like to limit the validity of the token as much as possible. It's also not really required to use the QSR token for this: Simply use XEP-0305 to establish a new session (including the SASL step). Of course using the QSR token to authenticate a new session would allow for omitting the extra SASL round trips. But I don't think it would be a good trade off from a security perspective. And the SASL overhead can be further reduced, to what SASL with QSR token would be, by using something like OAUTH as SASL mechanism. But I can't prevent you from implementing or specifying a SASL mechanism which uses the QSR token. I wouldn't want to put this in XEP-QSR though. - Florian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: http://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
