On Thu, Jan 24, 2019 at 6:46 PM, Jonas Schäfer <[email protected]>
wrote:
For stuff like TURN/STUN/... I would suggest to investigate the
possibility of
tokens for user authentication (which cannot be used to log into the
XMPP
service). I think I’ve seen such an implementation of a
STUN/TURN/XMPP setup
in the past, but I can’t remember where.
I'm actually coming to conclusion that using SASL EXTERNAL is a better
approach to address all those issues with SCRAM:
1) You don't keep user credentials on the server
2) A user is absolutely sure the server doesn't store the credentials
3) I'm not aware of any interop problems, well, maybe with elliptic
certs,
but this is resolved by server upgrades (while supporting new
SHA cannot be resolved by a server upgrade only)
4) Any external service supporting TLS (such as TURN or SIP) is able
to authenticate you
The drawback is that client implementing this typically has
terrible UX, but this can be resolved IMHO (unlike SCRAM).
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
