Am 28.10.2016 um 19:49 schrieb XMPP Extensions Editor:
The XMPP Extensions Editor has received a proposal for a new XEP.
Title: Burner JIDs
Abstract:
A mechanism by which users may request arbitrary anonymizing "burner" JIDs
for short term use.
URL: http://xmpp.org/extensions/inbox/burner.html
Some feedback (since I started nitpicking on github):
I had trouble understanding the protocol whose gist is as follows until
I read the security considerations:
C: <iq type=get><identity xmlns='urn:xmpp:burner:0'/></iq>
S: <iq type=result>...thejid...</iq>
It was not clear to me what the shared secret is used for here. What I
assume is that the following happens:
The user takes this jid and creates a new connection to the server and
authenticates, presumably using the SASL external mechanism.
The server recognizes the user part of the JID as something generated as
a burner jid. Note that the resource part is not usable here since
resource binding only happens after authentication.
Since the user part of the JID is exposed to other clients how are
replay attacks prevented?
One way to address this might be to handwave EXTERNAL auth and then use
the resource part to verify that this client is authorized to use the
JID. The verification might happen using Merlins spell (aka: xep-0185).
The server can then override the clients wish for a resource which does
not expose this information to other clients.
Security considerations:
- should those JIDs be traceable to the account that created them for
the operator? I think that is desirable, also to limit the number of
such jids. It makes them pseudonyms at most though which is ok for the
use-cases that this XEP wants to address. Full anonymity... is a hard claim.
Registrar considerations:
An authorization service that provides ephemeral "burner" identities.
I would remove "burner" here.
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
_______________________________________________
