[JDEV] Re: Verifying Jabber + External Ident apps ...

[jabber at msg.net]

> Perhaps it would help if I filled everyone in on why we want to do this.
> Basically, we are interested in creating an Identity system that as well as
> replacing the vCard ident system acts somewhat like Microsoft Passport,
> where websites can access and store their information in the user account
> database, instead of forcing the user to create separate accounts with
> separate passwords for each site etc.

Interesting idea, I never really cared for the concept behind MS Passport,
trusting a third-party to handle your authentication to web sites?!?

Notice that AOL is doing something similar now- your Compuserve/AIM/AOL login
can now be used as your username/password for a number of web sites.
 

> However, to achieve this aim, we need a way of ensuring that external sites
> can verify that a Jabber user is who they say they are. So for instance if I
> give a site a JID, it needs to be able to verify that I am who I say I am.
> This could be done by simply using the Jabber account password, but giving n
> sites who's security systems are unknown your password probably isn't a good
> idea.

If your users are logging directly into your Jabber server(s), which are
then 'tightly coupled' to your authentication and web server implementation,
this system would be muche easier to implement.
 
For example, you could define a new transport (akin to  icq-transport, etc)
on your server to handle this 'remote service authentication' infrastructure,
and require that users who wish to use your 'passport' must be on your server-
not just any JID reachable from jabber.org, but username at authentibot.com.


> So we need to be able to ensure that when a site is given a JID, that the
> user can authorize that site to access their personal info. We could do this
> by having the site subscribe to the presence of all it's users, and by
> embedding the users IP into presence (is this acceptable privacy wise?) it

Embedding the user's IP into presence is _not_ acceptable, and is not viable!

Many users (everybody on AOL, most corporate users, etc) are behind pools of
caching proxies- each web request they make can source from any of a number of
IP addresses, of which it is possible that none are the same as the source IP
of their Jabber connection, and none of these addresses are the same as the
192.168.25.21 (private NAT address space) their client knows itself as.


> would ensure that the given JID could be verified against the IP of the
> computer attempting to access the site, making taking over somebodies
> account very difficult unless you know the password.

Jabber passwords are not well-protected, and IIRC, clients nor servers have
any way to indicate multiple simultaneous logins- If you are already logged in,
and another connection is started with your same JID, there really needs to be
a message sent appraising all pre-existing sessions of that JID of the fact.

 
> However, I am unsure how scalable this solution is. We've already seen the
> problems JabberBot had with large scale presence, would a site suffer if say
> it had to monitor the presence and IP of a million users? Is this workable?
 
Yes, tracking presence for a huge number of users in a single client would be
an issue- when you approach this scale, you need to start looking into making
your application a transport, and tying into a jabber server and the transport
mechanism on that server.

Kevin Kadow
MSG.Net, Inc.