[jdev] Alternate MUC Authentication Mechanisms
Peter Saint-Andre
stpeter at stpeter.im
Thu Oct 14 05:57:19 CST 2010
On 10/14/10 5:32 AM, Dave Cridland wrote:
> On Thu Oct 14 00:23:16 2010, Alex Milowski wrote:
>> I've been playing around with Multi-user Chat and I'm wondering if
>> anyone
>> has experience with extending the protocol to include alternate room
>> password mechanisms? Specifically, I'm interest in using something like
>> digest authentication in conjunction with signed stanzas. I'd like
>> to have
>> better guarantees on who is actually in the room.
>
> We handle authorization based on XEP-0258, and we're working on putting
> together a signed stanzas specification which'd also help authenitcate.
>
> For taking the "room password" mechanism beyond a simple plaintext
> password - which is really not a security thing at all - you'd need to
> establish something like a SASL exchange between the user and the room.
> It's possible you could do this by provisioning the user with a
> XEP-0077 registration exchange embodying a SASL exchange, which'd
> leave you having "proven" the user and obtaining their certificate, in
> which case the signed stanzas would suffice to authenticate the user.
>
> So this means writing a SASL-in-77 spec (not impossible), and working
> on a signing spec (Kurt, with whom I work, proposed XEP-0285, but I
> think we've convinced him into a different approach now).
Why would we do authentication-in-registration, rather than define a new
remote authentication extension? XEP-0077 is already overloaded to a
great degree, and the two functions of registration and authentication
seem quite separate to me.
Peter
--
Peter Saint-Andre
https://stpeter.im/
More information about the JDev
mailing list