[Standards-JIG] JEP-0033 isn't implementable as external component
according to JEP-0114
Peter Saint-Andre
stpeter at jabber.org
Tue Aug 8 20:34:52 CDT 2006
tmarkmann at googlemail.com wrote:
> Hi,
>
> In JEP-0033, section 2.2 Multicast Service, you can read that such an
> service is implementable as external service/component. The JEP-0033
> describes Extended Stanza Addressing. According to that JEP and the
> point that multicast services intercommunicate they need to be able to
> have full rights on editing the from attribute. However, JEP-0114 says
> the following in section 4. Security Considerations:
>
> Given that an external component is trusted to write 'from'
> addresses for any user at the component's hostname, server
> administrators SHOULD make sure that they in fact do trust the
> component software.
>
>
> Example 17 in JEP-0033 shows the component 'multicast.header2.org
> <http://multicast.header2.org>' editing the from address to a user from
> another server which contradicts to JEP-0114 Sec. 4.
Not so.
The security consideration in JEP-0114 says only "don't allow untrusted
components to connect to your router" (good advice, no?). It does not
say that multicast components (or any other kind of component) is or
must be untrusted, and I think that a multicast component would have to
be trusted in order to function properly. In any case, the security
consideration in JEP-0114 provides advice to server administrators who
deploy external components and does not constrain component developers
in any way.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20060808/4fc1f7ca/smime.bin
More information about the Standards-JIG
mailing list