On 17/04/13 15:49, Daniele Ricci wrote: > Since there is no standard > (at least that I know, after my research), I made this up
I suggest talking to an appropriate standardization group (we are not one of those; the XMPP mailing lists might be) to make this into a usable and secure specification. > C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' > mechanism='OPENPGP'>[base64-encoded client public key]</auth> > S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>[random > challenge]</challenge> > C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>[challenge > signed using client private key]</response> Isn't this rather exploitable? If a malicious server sends <challenge>I, Daniele Ricci, promise to pay Simon McVittie $1 million</challenge> then you probably don't want to be signing that with your PGP key :-) (Or if the user is a Debian/Ubuntu developer with upload privileges, it could present a Debian .changes file authorizing the upload of a malicious package, for instance.) S _______________________________________________ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy