[jdev] Re: XEP-0070 in PHP

[Magnus Henoch]

"Norman Rasmussen" <norman at rasmussen.co.za> writes:

> I've been playing with OpenID and using the XEP-0070 example as a
> source for logic.  It was very irritating to have a unique resource
> all the time because Psi loads each one in a new window.

Did you try the new XEP-0070 support from SVN?

> While thinking about what the resource can be set to I noticed a
> security flaw:
>
> - If an attacker can guess what the resource is going to be, then you
> have a problem.

Is that a problem?  If so, the same should apply to a component
sending authorization requests.

As I understand it, XEP-0070 is based on the assumption that an XMPP
address cannot be forged.  As long as that holds, I think there should
be no problem.

-- 
Magnus
JID: legoscia at jabber.cd.chalmers.se