8 May
2024
8 May
'24
8:19 a.m.
I'd like to see the security considerations expanded on this.
In particular, in the business rules it mentions the fact that if
occupant-id isn't supported it could be spoofed. This should exist in
the security considerations.
Also, I suspect the naive way to implement this will be to hash the bare
JID. We probably want to mention that this is a bad idea and that these
identifiers should be random (or we should explicitly define the
security properties that are required if they're derived, which probably
includes using a salt and ensuring high entropy).
—Sam
On 2024-05-08 05:20, Daniel Gultsch wrote:
This message constitutes notice of a Last Call for
comments on
XEP-0421.
Title: Anonymous unique occupant identifiers for MUCs
Abstract:
This specification defines a method that allows clients to identify a
MUC participant across reconnects and renames. It thus prevents
impersonification of anonymous users.
URL: https://xmpp.org/extensions/xep-0421.html
This Last Call begins today and shall end at the close of business on
2024-05-27.
Please consider the following questions during this Last Call and send
your feedback to the standards(a)xmpp.org discussion list:
1. Is this specification needed to fill gaps in the XMPP protocol
stack or to clarify an existing protocol?
2. Does the specification solve the problem stated in the introduction
and requirements?
3. Do you plan to implement this specification in your code? If not,
why not?
4. Do you have any security concerns related to this specification?
5. Is the specification accurate and clearly written?
Your feedback is appreciated!
_______________________________________________
Standards mailing list -- standards(a)xmpp.org
To unsubscribe send an email to standards-leave(a)xmpp.org
--
Sam Whited
sam(a)samwhited.com