[Standards] XEP-0115 redux

Dave Cridland dave at cridland.net
Thu Jan 17 14:13:41 CST 2008 

On Thu Jan 17 18:15:02 2008, Kevin Smith wrote:
> On Jan 15, 2008 8:06 PM, Dave Cridland <dave at cridland.net> wrote:
> > Would it be reasonable to cache iq:version results against  
> node+ver+v
> > of the XEP-115 if the hash attribute exists?
> 
> It doesn't really work, since the node+ver+v doesn't contain as much
> info as the iq:version does.
> 
> 
Point taken.

So let's make it unique for any given iq:version response. In fact,  
on this basis, we can ditch v again, and make node be a URI unique to  
the client, its version, and platform. Perhaps  
http://psi-im.org/0.11/linux-2.6 or even  
http://psi-im.org/janlcdanrfunv. And perhaps  
http://psi-im.org/sjkdcsla means Psi 0.11, but it won't reveal the  
OS. Or maybe it's "Some version of Psi" - although  
http://psi-im.org/0.11 and http://psi-im.org/ are quite a bit shorter.

We can even supply a magical node of "http://www.xmpp.org/", meaning  
that the client version is not given - we can do this, after all,  
since for caps, it's only the hash we care about.

Note that in all cases, the URI's scheme and authority remain a  
client identifier, so if you just want to have the client put a Psi  
logo as default avatar, you can do so without a query, and I'm  
reasonably content that the amount of data added to caps to support  
this is minimal.


> > There's no security
> > here, and I would note that it would be possible for malicious
> > clients to poison the iq:version cache, I just can't see any  
> point in
> > doing so.
> 
> Well, some client developers have been less than truthful about  
> their
> clients in the past for their own peculiar reasons - it's not
> inconceivable given some previous behaviours we've seen that some
> client would try and distort their 'popularity' in this way.

In the above scenario, I don't see a useful "attack". I could make my  
client lie and claim to be Psi, but I don't see what that would gain  
me.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Standards mailing list