[JDEV] Re: Verifying Jabber + External Ident apps + Presence scalability + New protocol ideas submissions

Michael Hearn mhearn at subdimension.com
Tue Jun 19 15:01:50 CDT 2001 

Hi,

Perhaps it would help if I filled everyone in on why we want to do this.
Basically, we are interested in creating an Identity system that as well as
replacing the vCard ident system acts somewhat like Microsoft Passport,
where websites can access and store their information in the user account
database, instead of forcing the user to create separate accounts with
separate passwords for each site etc.

However, to achieve this aim, we need a way of ensuring that external sites
can verify that a Jabber user is who they say they are. So for instance if I
give a site a JID, it needs to be able to verify that I am who I say I am.
This could be done by simply using the Jabber account password, but giving n
sites who's security systems are unknown your password probably isn't a good
idea.

So we need to be able to ensure that when a site is given a JID, that the
user can authorize that site to access their personal info. We could do this
by having the site subscribe to the presence of all it's users, and by
embedding the users IP into presence (is this acceptable privacy wise?) it
would ensure that the given JID could be verified against the IP of the
computer attempting to access the site, making taking over somebodies
account very difficult unless you know the password.

However, I am unsure how scalable this solution is. We've already seen the
problems JabberBot had with large scale presence, would a site suffer if say
it had to monitor the presence and IP of a million users? Is this workable?
If it is then it's a neat solution (although of course the user would have
to be running an IM client), but otherwise it's back to the drawing board.

Can anyone provide answers to these questions? Also, if people have ideas
for new protocols or "featurelets" - small features such as the buddy icons
idea, how does this work in terms of the foundation? Do we have a place to
keep all these ideas and develop them, then inform client authors about new
protocols?

I know there is a lot here, but help on this would be greatly appreciated

thanks -mike

More information about the JDev mailing list