I want to start an effort, both on the specification side and implementation side, for easier onboarding and to get rid of "master" passwords on user's devices.
As far as I can tell, this requires three mechanisms: 1) A one-time token authentication mechanism 2) A mechanism for clients allowing them to request their servers sign a client-provided certificate signing request (CSR) so that the resulting certificate can be used for authentication (using SASL EXTERNAL) 3) A mechanism for clients to request a "master recovery password" from the server A user story could go like this: A server operator generates a new account for the user on his XMPP service *and* a QR code which contains the JID and the one-time authentication token. Now the user installs an XMPP client and scans the QR code. The client authenticates using the one-time token and immediately after successful authentication generates a X509 certificate and a certificate signing request (CSR). The CSR is then sent to the server to sign, which the server happily does. From now on the client uses the certificate using SASL EXTERNAL to authenticate. The client also (optionally) requests a master recovery password from the server and tells the user to write the master password down and keep it in a safe place (back of the user keyboard, obviously). This master recovery password can be used by the user to reclaim his account in case he lost access to all of his devices, or to bootstrap a new device. As far as I can tell we do not have a specification for any of the three mechanisms (happy to stand corrected). Since all three mechanisms are independent of each other, they could be used standalone and can be developed separate. For now, I would like to focus on (2), to get rid of master passwords from devices and move towards per-device-certificate SASL EXTERNAL authentication. I already talked with a few client and server developers at FOSDEM about this and received some valuable feedback. Now I'd like to gather input from a wider audience. Your feedback is much appreciated. - Florian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
