I've started a suite for testing XMPP clients for presence leaks. You
can get it with git:

git clone git://github.com/bct/eyestalk.git

Project page at http://github.com/bct/eyestalk/tree/master

It doesn't have very many test cases yet. Any test case suggestions
would be appreciated.

_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkhoJCUACgkQc7m7RB/1A2Vd1gCfTIhxv+cvyj0LzjiF1DM1pgfP
PSIAn36qFmBTv7NfqpZGt8m0lgsda4iE
=zDBr
-----END PGP SIGNATURE-----

Hi People,

Seems like people are taking OAuth seriously. Google has (apparently) recently rolled out support for it. Quoted:

"This is what OAuth does, it allows the you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User). While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts)."

Maybe someone should have a look at this for a possible interop spec? Hit login, open a web page and authenticate: I suppose it works like the Facebook API in many ways (can store a permanent login token).

The nice thing about it, I guess, is that by supporting it we can remove the dependency of plain-text passwords in the DB (because you are in charge of how the passwords are checked, not X-amount of SASL mechanisms that collectively force you to store it in plain-text).

http://oauth.net

-- Jonathan
_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Hi,

On Jun 30, 2008, at 8:44 AM, Jonathan Dickinson wrote:
> Maybe someone should have a look at this for a possible interop
> spec? Hit login, open a web page and authenticate: I suppose it
> works like the Facebook API in many ways (can store a permanent
> login token)

In the Social mailing list (http://mail.jabber.org/mailman/listinfo/
social) there was some discussion about OAuth in the past.

Use cases discussed where:

* allow a third party to manipulate your roster;
* allow a third party to publish something to your private PIP or
PEP nodes (say FireEagle upadating your GeoLocation node);

Check the list archives for more information.

Best regards,
--
HIId: Pedro Melo
SMTP: melo (AT) co (DOT) sapo.pt
XMPP: pedro.melo (AT) sapo (DOT) pt


_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Jonathan Dickinson wrote:
> Hi People,
>
> Seems like people are taking OAuth seriously. Google has (apparently)
> recently rolled out support for it. Quoted:
>
> "This is what OAuth does, it allows the you the User to grant access
> to your private resources on one site (which is called the Service
> Provider), to another site (called Consumer, not to be confused with
> you, the User). While OpenID is all about using a single identity to
> sign into many sites, OAuth is about giving access to your stuff
> without sharing your identity at all (or its secret parts)."
>
> Maybe someone should have a look at this for a possible interop spec?
> Hit login, open a web page and authenticate: I suppose it works like
> the Facebook API in many ways (can store a permanent login token).
>
> The nice thing about it, I guess, is that by supporting it we can
> remove the dependency of plain-text passwords in the DB (because you
> are in charge of how the passwords are checked, not X-amount of SASL
> mechanisms that collectively force you to store it in plain-text).

As far as I understand it, OAuth is for *authorization*, not
*authentication*. So an XMPP service would use OAuth to allow someone to
(say) publish to your PEP nodes, would not use it as a substitute for
native authentication. IMHO, anyway.

Peter

_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Brendan Taylor wrote:
> I've started a suite for testing XMPP clients for presence leaks.

Thanks, Brendan!

> You
> can get it with git:
>
> git clone git://github.com/bct/eyestalk.git
>
> Project page at http://github.com/bct/eyestalk/tree/master
>
> It doesn't have very many test cases yet. Any test case suggestions
> would be appreciated.

I haven't put a lot of thought into test cases for presence leaks, but
it would be good to have such a list. Perhaps we can chat about this at
the XMPP Summit. :)

Peter



_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

I've started a suite for testing XMPP clients for presence leaks. You
can get it with git:

git clone git://github.com/bct/eyestalk.git

Project page at http://github.com/bct/eyestalk/tree/master

It doesn't have very many test cases yet. Any test case suggestions
would be appreciated.

I'm not good at reading code, so this question might be invalid – can you also test presence leaks using guessed well-known resources like client names (Psi, Gajim, Miranda, QIP, Adium etc.) or places (Home, Work, School etc.)? I think it could push client authors to use random-generated resource names.

Lukáš 'Spike' Polívka

On Wed, Jul 9, 2008 at 3:19 PM, JabberForum <list-jdev (AT) jabberforum (DOT) org> wrote:
> I'm not good at reading code, so this question might be invalid – can
> you also test presence leaks using guessed well-known resources like
> client names (Psi, Gajim, Miranda, QIP, Adium etc.) or places (Home,
> Work, School etc.)? I think it could push client authors to use
> random-generated resource names.

I don't understand why this would be something we'd want to push for.

/K
_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Kevin Smith wrote:
> On Wed, Jul 9, 2008 at 3:19 PM, JabberForum <list-jdev (AT) jabberforum (DOT) org> wrote:
>> I'm not good at reading code, so this question might be invalid – can
>> you also test presence leaks using guessed well-known resources like
>> client names (Psi, Gajim, Miranda, QIP, Adium etc.) or places (Home,
>> Work, School etc.)? I think it could push client authors to use
>> random-generated resource names.
>
> I don't understand why this would be something we'd want to push for.

Because some people are paranoid?



_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On Wed, Jul 9, 2008 at 3:46 PM, Peter Saint-Andre <stpeter (AT) stpeter (DOT) im> wrote:
>>> you also test presence leaks using guessed well-known resources like
>>> client names (Psi, Gajim, Miranda, QIP, Adium etc.) or places (Home,
>>> Work, School etc.)? I think it could push client authors to use
>>> random-generated resource names.
>> I don't understand why this would be something we'd want to push for.
> Because some people are paranoid?

Paranoid people can use as random a resource as they want to - it
doesn't mean the rest of us need to :)

/K
_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On Wednesday 09 July 2008 07:55:58 Kevin Smith wrote:
> On Wed, Jul 9, 2008 at 3:46 PM, Peter Saint-Andre <stpeter (AT) stpeter (DOT) im>
wrote:
> >>> you also test presence leaks using guessed well-known resources like
> >>> client names (Psi, Gajim, Miranda, QIP, Adium etc.) or places (Home,
> >>> Work, School etc.)? I think it could push client authors to use
> >>> random-generated resource names.
> >>
> >> I don't understand why this would be something we'd want to push for.
> >
> > Because some people are paranoid?
>
> Paranoid people can use as random a resource as they want to - it
> doesn't mean the rest of us need to :)

And a random resource isn't necessary anyway, just good privacy control on the
server. (/me still wants a server that will bounce all iqs from people who
don't have his presence.)

-Justin
_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Justin Karneges wrote:
> On Wednesday 09 July 2008 07:55:58 Kevin Smith wrote:
>> On Wed, Jul 9, 2008 at 3:46 PM, Peter Saint-Andre <stpeter (AT) stpeter (DOT) im>
> wrote:
>>>>> you also test presence leaks using guessed well-known resources like
>>>>> client names (Psi, Gajim, Miranda, QIP, Adium etc.) or places (Home,
>>>>> Work, School etc.)? I think it could push client authors to use
>>>>> random-generated resource names.
>>>> I don't understand why this would be something we'd want to push for.
>>> Because some people are paranoid?
>> Paranoid people can use as random a resource as they want to - it
>> doesn't mean the rest of us need to :)
>
> And a random resource isn't necessary anyway, just good privacy control on the
> server. (/me still wants a server that will bounce all iqs from people who
> don't have his presence.)

Including directed presence?

/psa


_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On Wednesday 09 July 2008 20:33:32 Peter Saint-Andre wrote:
> Justin Karneges wrote:
> > On Wednesday 09 July 2008 07:55:58 Kevin Smith wrote:
> >> On Wed, Jul 9, 2008 at 3:46 PM, Peter Saint-Andre <stpeter (AT) stpeter (DOT) im>
> >
> > wrote:
> >>>>> you also test presence leaks using guessed well-known resources like
> >>>>> client names (Psi, Gajim, Miranda, QIP, Adium etc.) or places (Home,
> >>>>> Work, School etc.)? I think it could push client authors to use
> >>>>> random-generated resource names.
> >>>>
> >>>> I don't understand why this would be something we'd want to push for.
> >>>
> >>> Because some people are paranoid?
> >>
> >> Paranoid people can use as random a resource as they want to - it
> >> doesn't mean the rest of us need to :)
> >
> > And a random resource isn't necessary anyway, just good privacy control
> > on the server. (/me still wants a server that will bounce all iqs from
> > people who don't have his presence.)
>
> Including directed presence?
Why does it matter? Either someone got my presence or he didn't.
So he either can query my client for something or he can't.
If I am not mistaken - server remembers all presences that it sent to peers so
when client disconnects - server automatically send offline presences
everywhere it needs to. That of cource includes directed presences.

> /psa



--
Sincerely yours
Alexey Nezhdanov
_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Alexey Nezhdanov wrote:
> On Wednesday 09 July 2008 20:33:32 Peter Saint-Andre wrote:
>> Justin Karneges wrote:
>>> On Wednesday 09 July 2008 07:55:58 Kevin Smith wrote:
>>>> On Wed, Jul 9, 2008 at 3:46 PM, Peter Saint-Andre <stpeter (AT) stpeter (DOT) im>
>>> wrote:
>>>>>>> you also test presence leaks using guessed well-known resources like
>>>>>>> client names (Psi, Gajim, Miranda, QIP, Adium etc.) or places (Home,
>>>>>>> Work, School etc.)? I think it could push client authors to use
>>>>>>> random-generated resource names.
>>>>>> I don't understand why this would be something we'd want to push for.
>>>>> Because some people are paranoid?
>>>> Paranoid people can use as random a resource as they want to - it
>>>> doesn't mean the rest of us need to :)
>>> And a random resource isn't necessary anyway, just good privacy control
>>> on the server. (/me still wants a server that will bounce all iqs from
>>> people who don't have his presence.)
>> Including directed presence?
> Why does it matter? Either someone got my presence or he didn't.
> So he either can query my client for something or he can't.
> If I am not mistaken - server remembers all presences that it sent to peers so
> when client disconnects - server automatically send offline presences
> everywhere it needs to. That of cource includes directed presences.

My point is that the server can't just check the suubscription state in
the roster. Also it introduces a good argument for my proposed best
practice of sharing presence for ad-hoc chats/interactions:

http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3921bis-05.html#message-chat

/psa


_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

> My point is that the server can't just check the suubscription state in the
> roster. Also it introduces a good argument for my proposed best practice of
> sharing presence for ad-hoc chats/interactions:
> http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3921bis-05.html#message-chat

Yes, I've agreed that sharing presence when chatting makes sense for a
while, so I agree with the best practice. It does seem weird to have
that the client MUST allow this to be disabled though - currently,
that section reads that a client is not XMPP compliant (i.e. it breaks
a MUST in the RFC) if it follows the best practices in the RFC :)

/K
_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Kevin Smith wrote:
>> My point is that the server can't just check the suubscription state in the
>> roster. Also it introduces a good argument for my proposed best practice of
>> sharing presence for ad-hoc chats/interactions:
>> http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3921bis-05.html#message-chat
>
> Yes, I've agreed that sharing presence when chatting makes sense for a
> while, so I agree with the best practice. It does seem weird to have
> that the client MUST allow this to be disabled though - currently,
> that section reads that a client is not XMPP compliant (i.e. it breaks
> a MUST in the RFC) if it follows the best practices in the RFC :)

Hmm, am I missing something? The text in section 5.4 of rfc3921bis says:

***

If a user exchanges messages with a contact but the user does not
normally share presence with the contact via a presence subscription, it
is RECOMMENDED for the user's client to send directed presence to the
contact, subject to user approval (either explicitly for this contact or
implicitly via a configuration setting). If a client supports this
feature, it MUST allow the user to disable the feature in order to
prevent presence sharing with unknown entities.

***

So presence sharing is RECOMMENDED, and a client MUST allow a (paranoid)
user to disable the RECOMMENDED practice of presence sharing. I don't
see an outright contradiction there. A tension, perhaps. :)

/psa


_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On Wed, Jul 9, 2008 at 6:59 PM, Peter Saint-Andre <stpeter (AT) stpeter (DOT) im> wrote:
> Hmm, am I missing something?

You're not, there's no contradiction.

I just find it a bit amusing that we have a best practice, but a MUST
be possible to not follow the best practice.

Nevermind me :)

/K
_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Kevin Smith wrote:
> On Wed, Jul 9, 2008 at 6:59 PM, Peter Saint-Andre <stpeter (AT) stpeter (DOT) im> wrote:
>> Hmm, am I missing something?
>
> You're not, there's no contradiction.
>
> I just find it a bit amusing that we have a best practice, but a MUST
> be possible to not follow the best practice.

Yes, because this specification will be reviewed by the security mafia...

/psa


_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On Wednesday 09 July 2008 09:33:32 Peter Saint-Andre wrote:
> Justin Karneges wrote:
> > On Wednesday 09 July 2008 07:55:58 Kevin Smith wrote:
> >> On Wed, Jul 9, 2008 at 3:46 PM, Peter Saint-Andre <stpeter (AT) stpeter (DOT) im>
> >
> > wrote:
> >>>>> you also test presence leaks using guessed well-known resources like
> >>>>> client names (Psi, Gajim, Miranda, QIP, Adium etc.) or places (Home,
> >>>>> Work, School etc.)? I think it could push client authors to use
> >>>>> random-generated resource names.
> >>>>
> >>>> I don't understand why this would be something we'd want to push for.
> >>>
> >>> Because some people are paranoid?
> >>
> >> Paranoid people can use as random a resource as they want to - it
> >> doesn't mean the rest of us need to :)
> >
> > And a random resource isn't necessary anyway, just good privacy control
> > on the server. (/me still wants a server that will bounce all iqs from
> > people who don't have his presence.)
>
> Including directed presence?

Yep, that's the idea. If I send someone directed presence then they'd be
temporarily authorized. In current practice, this would really only be used
with MUC rooms. However, I can imagine a future practice of sending directed
presence to unsubscribed contacts or sending directed presence when invisible
(fortunately these are edge cases, so there's a lot to be gained even without
clients handling them yet).

-Justin
_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On Wed, 09 Jul 2008 12:31:04 -0600
Peter Saint-Andre <stpeter (AT) stpeter (DOT) im> wrote:

> Kevin Smith wrote:
> > On Wed, Jul 9, 2008 at 6:59 PM, Peter Saint-Andre
> > <stpeter (AT) stpeter (DOT) im> wrote:
> >> Hmm, am I missing something?
> >
> > You're not, there's no contradiction.
> >
> > I just find it a bit amusing that we have a best practice, but a
> > MUST be possible to not follow the best practice.
>
> Yes, because this specification will be reviewed by the security
> mafia...

Maybe I should help the mafia with the review. We use bugs in ICQ
presence privacy as one of the arguments to switch to Jabber, anyway :).

>
> /psa
>

Pavel

--

Web: http://www.pavlix.net/
Jabber & Mail: pavlix(at)pavlix.net
OpenID: pavlix.net
_______________________________________________
JDev mailing list
FAQ: http://www.jabber.org/discussion-lists/jdev-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe (AT) jabber (DOT) org
_______________________________________________