XEP-Remarks/XEP-0070: Verifying HTTP Requests via XMPP
This is a page for information about XEP-Remarks/XEP-0070: Verifying HTTP Requests via XMPP, including errata, comments, questions, and implementation experience.
SPOF, DoS, and privacy concerns
As pointed out in the following thread: here
- The way the XEP is written (as of 1.0.1), it means that web services using 0070 have to use one (or multiple) static endpoint that act as "Single" Point Of Failure.
- While having a SPOF might be fine in some cases, that single endpoint also now acts as the identity provider for the whole XMPP network as seen from the web service, allowing it to:
- refuse even legit users on (other) servers,
- being able to see the activity of anybody authenticating against the web service, (that is, only when authenticating).
This might be alleviated by the fact that the XEP was probably meant to have the HTTP/XMPP component run alongside the webservice, and not provided by other XMPP services, as corrected here. Nonetheless adoption might be easier if XMPP services provide such interfaces.