[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[DotGNU]Jabber & Authentication

From: Jonathan P Springer
Subject: [DotGNU]Jabber & Authentication
Date: Mon, 22 Apr 2002 00:20:00 -0400
User-agent: Mutt/1.3.28i

So I started fiddling with the idea of accepting SOAP over Jabber.
Essentially, I'm trying to create a Jabber "client" that will accept
SOAP as the content of a Message or Query (asynchronous vs.
synchronous).  The first problem I faced was having the client securely
log in to the server.  This is the traditional problem of "How do I
automate a password?".

For the time being, I'll stow the password locally in a file and use the
Jabber SHA-1 digest method to encrypt it on its way to authenticate with
the server.  Unfortunately, because Jabber wants the SHA-1 digest of
concatenate(SessionID, Password), I can't put the password in the file
in its digest form.  That leaves two options:  (1) use a two-way
encryption scheme to store passwords locally, or (2) trust root and
whomever may have access to the UID under which the service is run.

I don't particularly trust either of those options.  In my ideal world,
Jabber will expand to support some sort of public/private key
authentication (though I guess I must stil trust root to steer clear of
my private keys in that case).

I guess my question boils down to:  What are the thoughts of others in
the group on how automated services authenticate with each other and
establish trust?  Feel free to tell me to RTFM.  (Just tell me where TFM


-Jonathan P Springer <address@hidden>
"A standard is an arbitrary solution to a recurring problem." - Joe Hazen

reply via email to

[Prev in Thread] Current Thread [Next in Thread]