[Standards-JIG] JEP-0033 isn't implementable as external
component according to JEP-0114
Tobias Markmann
tmarkmann at googlemail.com
Wed Aug 9 09:04:00 CDT 2006
okay...i already figured that out but i don't know any server which allows
that...i heard that you can hack jabberd's connection manager to do so but
the s2s component of it won't let the message pass through. Maybe the
trusted and untrusted part needs to be integrated in a more explicit way
into JEP-0114.
On 8/9/06, Peter Saint-Andre <stpeter at jabber.org> wrote:
>
> tmarkmann at googlemail.com wrote:
> > > Hi,
> > >
> > > In JEP-0033, section 2.2 Multicast Service, you can read that such
> > > an
> > > service is implementable as external service/component. The JEP-0033
> > > describes Extended Stanza Addressing. According to that JEP and the
> > > point that multicast services intercommunicate they need to be able
> > > to
> > > have full rights on editing the from attribute. However, JEP-0114
> > > says
> > > the following in section 4. Security Considerations:
> > >
> > > Given that an external component is trusted to write 'from'
> > > addresses for any user at the component's hostname, server
> > > administrators SHOULD make sure that they in fact do trust the
> > > component software.
> > >
> > >
> > > Example 17 in JEP-0033 shows the component 'multicast.header2.org
> > > <http://multicast.header2.org>' editing the from address to a user
> > > from
> > > another server which contradicts to JEP-0114 Sec. 4.
>
> Not so.
>
> The security consideration in JEP-0114 says only "don't allow untrusted
> components to connect to your router" (good advice, no?). It does not
> say that multicast components (or any other kind of component) are or
> must be untrusted, and I think that a multicast component would have to
> be trusted in order to function properly. In any case, the security
> consideration in JEP-0114 provides advice to server administrators who
> deploy external components and does not constrain component developers
> in any way.
>
> Peter
>
> --
> Peter Saint-Andre
> Jabber Software Foundation
> http://www.jabber.org/people/stpeter.shtml
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.jabber.org/pipermail/standards/attachments/20060809/5d946862/attachment.html
More information about the Standards-JIG
mailing list