[Council] VOTE: JEP-0033 (Extended Stanza Addressing)
stpeter at jabber.org
Fri May 7 18:23:44 CDT 2004
On Thu, May 06, 2004 at 02:30:30PM -0500, Peter Saint-Andre wrote:
> On Thu, May 06, 2004 at 01:03:51PM -0600, Peter Millard wrote:
> > Peter Saint-Andre wrote:
> > > Votes from Paul Curtis and Peter Millard are stil needed on this JEP.
> > +1.. I needed to re-read as well.
> Thank you all for voting. This JEP has now been approved by the Council.
> However, it still lacks a Security Considerations section, and I will
> request that from the JEP Author before proceeding with publication of
> JEP-0033 as a Draft standard.
The JEP Author has stated that he cannot think of any security concerns
related to extended stanza addressing. I can think of at least one: the
potential for abuse related to the 'replyto' and 'replyroom' features.
Consider the case of an entity that sends messages with 'replyroom' set
to the address of a room that hosts salacious content. Similarly, the
'replyto' could be set to the address of a spambot that harvests Jabber
addresses. I think we need to at least specify that the recipient of a
message with extended stanza addressing SHOULD be prompted in some way
if the recipient's reply will be send to an address other than that of
the sender (naturally, the list of entities to which a recipient could
reply might be limited using privacy lists, but this provides an extra
layer of protection).
Jabber Software Foundation
More information about the Council