Hi,
I like the idea of Florian but as for the implementation I'd rather lean
towards something that Андрей described.
SASL EXTERNAL has some practical issues, like client certs being sent in
cleartext [1] and the fact that for example Android requires lock screen
to be on to add client certs to the store not to mention problems in
browsers (browsers generally can do client certs but I'm not sure if any
XMPP server would do client cert handshake over websockets).
[1]: https://stackoverflow.com/q/20319768
Generating QR codes with tokens that basically replace master password
seems like a nice compromise.
Actually even provisioning mobile client with an XMPP URI encoded as a
QR code would be a big improvement, that way users could use a high
entropy passwords scanned from their server page. If they don't need to
type the password it may be long and complex. And if they lose their
device they could regenerate the password from the provider's page and
re-scan another QR code.
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
