[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]
Mridul Muralidharan
mridul at sun.com
Sat May 19 08:47:05 CDT 2007
Ian Paterson wrote:
> Daniel Noll wrote:
>> On Saturday 19 May 2007 19:51, Ian Paterson wrote:
>>
>>> AFAICT, as long as the resource ID is random and long enough (e.g. 128
>>> bits of entropy), then it is exceptionally secure.
>>>
>>> In fact it is far more secure than, for example, the user's password...
>>> because it is random and long, because it changes with every session,
>>> and because the only way to discover it would be to sniff the user's
>>> session (in which case you know the user is online anyway).
>>>
>>
>> The person who is trying to find you might just decide to ask one of
>> the contacts who does have a subscription to your presence.
>>
>> They can't quite do this with the user's password.
>>
>
> Well, that doesn't matter in this case. Expanding my last sentence above:
>
> "the only way to discover it would be to sniff the user's session *or
> ask the user or one of her contacts who does have a subscription* (if
> you can do any of those things then you know the user is online, so
> there is no need to discover the resource ID)."
>
> - Ian
>
>
Yes, you must not worry about out of band means of querying for presence :)
Mridul
More information about the Standards
mailing list