[Telepathy] XMPP: OpenPGP SASL mechanism
Simon McVittie
simon.mcvittie at collabora.co.uk
Wed Apr 17 08:08:59 PDT 2013
On 17/04/13 15:49, Daniele Ricci wrote:
> Since there is no standard
> (at least that I know, after my research), I made this up
I suggest talking to an appropriate standardization group (we are not
one of those; the XMPP mailing lists might be) to make this into a
usable and secure specification.
> C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
> mechanism='OPENPGP'>[base64-encoded client public key]</auth>
> S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>[random
> challenge]</challenge>
> C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>[challenge
> signed using client private key]</response>
Isn't this rather exploitable? If a malicious server sends
<challenge>I, Daniele Ricci, promise to pay Simon McVittie $1
million</challenge>
then you probably don't want to be signing that with your PGP key :-)
(Or if the user is a Debian/Ubuntu developer with upload privileges, it
could present a Debian .changes file authorizing the upload of a
malicious package, for instance.)
S
More information about the telepathy
mailing list