[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]
Ian Paterson
ian.paterson at clientside.co.uk
Fri May 18 15:51:50 CDT 2007
Peter Saint-Andre wrote:
> How is this for text in the Security Considerations?
>
> ******
>
> If a server receives a ping request directed to a full JID
> (<node at domain.tld/resource>) associated with a registered account but
> there is no connected resource matching the 'to' address, it MUST
> reply with a <service-unavailable/> error and set the 'from' address
> of the IQ-error to the full JID provided in the 'to' address of the
> ping request. If a connected resource receives a ping request but it
> does not want to reveal its network availability to the sender for any
> reason (e.g., because the sender is not authorized to know the
> connected resource's availability), then it too MUST reply with a
> <service-unavailable/> error. This consistency between the server
> response and the client response helps to prevent presence leaks.
>
> ******
What about white space character data between XML tags etc? To prevent a
presence leak the client MUST be able to predict every single byte of
its server's normal response. I think you should go so far as including
an example of the exact character string that a server MUST send.
- Ian
More information about the Standards
mailing list