Notes on new Telepathy interfaces for various authentication needs.
Scope
- Client connection authentication that doesn't use a stored secret (e.g. Kerberos or Google's temporary tokens as opposed to a password).
- Asking for credentials for channels (e.g. password-protected chatrooms).
- Asking users whether to accept or reject server credentials (e.g. SSL certificates that can't be verified through the standard trust mechanisms). It should be possible to accept certificates permanently (continuity checking). Currently, each account has to accept or reject all unverifiable certificates. In theory you could include details of trusted certificates as connection parameters, but this doesn't allow leap-of-faith; you have to get the details via an out-of-band method.
- Asking users whether to accept contacts' credentials. This should work similarly to checking servers' credentials. The case where we expect this to turn up is Jabber XTLS.
- Allowing users not to store connection passwords but to enter them as needed.
Out of scope?
- Setting a password on a chatroom.
Interface
Authentication is split into two kinds: local (we need to provide credentials) and remote (a peer needs to provide credentials).
Channel type LocalAuthentication
Created when a peer wants us to authenticate ourselves.
- Property: Resource : o
- Object path of the resource undergoing authentication. This might be a connection or a channel.
Interface SaslAuthentication
Property: SaslMechanism: s
- Property: State : u
- Pending
- Authenticated
- Failed
- Property: Challenge : as
- A list with either 0 or 1 items.
- The item, if present, is a string describing an authentication challenge sent by the peer, which may be empty.
- If the list is empty, then the peer has not issued a challenge.
- Signal: Challenge : s
- Emitted when a challenge is received.
Method: Respond : s -> ()
Method: Abort : () -> ()
- Signal: Failure : ()
- Signal: Success : ()
Interface TlsCertificateVerification
Channel type RemoteAuthentication
Created when we want to authenticate the peer.
Open questions
- Separate authentication of the peer to us from authentication of ourselves to the peer? This would avoid the channel working in two modes at once.
- This interface suffers from the seesion handler interface inversion antipattern: it would be more elegant if the CM could call a Respond() method on the channel handler.
- Who decides which authentication mechanism to use? Is is the CM or the channel handler?
- How to retry authentication when Abort() is called?
- Is it ok for CMs to present as SASL authentication challenges which are not SASL in the underlying protocol? (E.g. passwords for chatrooms in XMPP.) I think yes.
- Include concept of identity/role to authenticate as? This might come up with some SASL mechanisms.
Naming of "LocalAuthentication"/"RemoteAuthentication" may be unclear.
Sjoerd suggests that local and remote authentication may not always be seperable. In this case, we should combine both channel types, and have something like a PendingAuthenticationDirections property which is 0, 1, or 2.
- How does the CM know when we don't trust the remote peer? Is it always clear from context, or does the client need to tell it to initiate remote authentication sometimes?