[asterisk-dev] [Code Review] New application JabberReceive, implement SendText in chan_gtalk and chan_jingle

Philippe Sultan philippe.sultan at gmail.com
Mon Dec 15 12:23:59 CST 2008


> So regarding my questions:
>
> | Who actually authenticates the user in this case?
>
> Remote XMPP servers authenticating the users (what about those relaying
> the messages?)

Well, each user authenticates to his XMPP server, which takes this
responsability and relays the messages.

> | How difficult would it be for me to sneak in a message pretending to
> | be from someone else?
>
> I have no idea. I guess each server basically trusts all of its peers.
> But I'm not familiar with how XMPP networks actually work.

Yes, messages are relayed this way :
client -- server -- server -- client.

XMPP comes with several mechanisms to ensure the server-to-server
connection reaches a certain level of security  (server dialback, TLS,
SASL), see http://www.ietf.org/rfc/rfc3920.txt (section 14.4). How
strong are those mechanisms and their implementations? That's the
question.

> | Who do I trust?
>
> All the XMPP servers in that specific XMPP network? Or is it just a
> specific one assigned that domain (by whom?)
>
>
> And I guess that a more practical question would be: is authentication
> by JID already in use anywhere for anything that is non-trivial?
>

Asterisk can't be responsible for authenticating JIDs, only servers
do, so yes, we rely on a set of XMPP servers to authenticate users.
Instead, Asterisk can deal with user authorization though, for example
by granting 'manager' privileges to JIDs, like Julian described it.

But yes, the point is that you have to trust your XMPP infrasctructure here.

Philippe



More information about the asterisk-dev mailing list