[Telepathy] XMPP: OpenPGP SASL mechanism

Simon McVittie simon.mcvittie at collabora.co.uk
Wed Apr 17 08:08:59 PDT 2013

On 17/04/13 15:49, Daniele Ricci wrote:
> Since there is no standard
> (at least that I know, after my research), I made this up

I suggest talking to an appropriate standardization group (we are not
one of those; the XMPP mailing lists might be) to make this into a
usable and secure specification.

> C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
> mechanism='OPENPGP'>[base64-encoded client public key]</auth>
> S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>[random
> challenge]</challenge>
> C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>[challenge
> signed using client private key]</response>

Isn't this rather exploitable? If a malicious server sends

<challenge>I, Daniele Ricci, promise to pay Simon McVittie $1

then you probably don't want to be signing that with your PGP key :-)

(Or if the user is a Debian/Ubuntu developer with upload privileges, it
could present a Debian .changes file authorizing the upload of a
malicious package, for instance.)


More information about the telepathy mailing list