[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]
Ian Paterson
ian.paterson at clientside.co.uk
Sat May 19 07:01:27 CDT 2007
Daniel Noll wrote:
> On Saturday 19 May 2007 19:51, Ian Paterson wrote:
>
>> AFAICT, as long as the resource ID is random and long enough (e.g. 128
>> bits of entropy), then it is exceptionally secure.
>>
>> In fact it is far more secure than, for example, the user's password...
>> because it is random and long, because it changes with every session,
>> and because the only way to discover it would be to sniff the user's
>> session (in which case you know the user is online anyway).
>>
>
> The person who is trying to find you might just decide to ask one of the
> contacts who does have a subscription to your presence.
>
> They can't quite do this with the user's password.
>
Well, that doesn't matter in this case. Expanding my last sentence above:
"the only way to discover it would be to sniff the user's session *or ask the user or one of her contacts who does have a subscription* (if you can do any of those things then you know the user is online, so there is no need to discover the resource ID)."
- Ian
More information about the Standards
mailing list