[Standards-JIG] Inclusion of both, to and from attributes to
the stream root element
Peter Saint-Andre
stpeter at jabber.org
Thu Sep 28 17:25:23 CDT 2006
Matthias Wimmer wrote:
> Peter Saint-Andre schrieb:
>> My only concern is that the 'from' address in the stream header is
>> simply asserted, so I could be shown the wrong set of SASL mechanisms if
>> I assert that I'm mawis at jabber.org instead of stpeter at jabber.org or
>> whatever. However, if I try to auth using a mechanism that I'm not
>> really allowed to use, I'll find out eventually anyway because the
>> server will return an <invalid-mechanism/> error to me. So I don't think
>> this opens any security holes.
>
> Agreed.
>
> I think the from, and to attributes should in any case not being more
> than a hint to the endpoints of a connection. Real identity checking is
> done by SASL or other strong ways to authenticate (TLS, IPsec, ...).
Yes, and the spec says that (even in RFC 3920), so I think we're fine.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20060928/5800537b/smime.bin
More information about the Standards-JIG
mailing list