[Psi-devel] JEP-0070 support

[Maciek Niedzielski]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hal Rottenberg wrote:
> On 6/30/06, Maciek Niedzielski <machekku at uaznia.net> wrote:
>> The idea is to make HTTP authentication more secure by taking advantage
>> of strong XMPP authentication.
>> Instead of providing normal user/password to a website, you provide your
>> JID and so-called transaction identifier. Then server asks you via XMPP
>> "oh, it's really you trying to access this site?". If you confirm (in
>> your XMPP client), you get access to the site.
> 
> So if the http server is doing the xml, why must the client be
> modified at all?  Guess I'd have to see it in action, but I can
> imagine a situation where I would simply get a message with an
> activation code or a link to click?

As the JEP says, the confirmation goes back to the server via XMPP.
Then even if server sends the request by message, then <thread/> is used
for tracking, and psi doesn't send it.
And moreover, it turns out that for some authentication schemes (like
Digest) user will have to provide some more info then just yes/no, so
the server would then have to parse the message or something.

Yes, I can imagine that the message would contain a normal "clickable"
link for clients that don't support this protocol, but this would be
just an extension.


> What I'm getting at is that if client modifications are required then
> the adoption rate will be pretty low.

I'm just implementing a draft standard, not inventing it ;)

- --
Maciek
 xmpp:machekku at uaznia.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEpUny7knNPWzAbeURAnXRAKC4Jf21yDvWRbUC69gvK8nGr5A7MgCfeZ38
WPLAjkjlwHDb9WqaqaFpcyM=
=Qgu0
-----END PGP SIGNATURE-----