[Council] disco mods

Ian Paterson ian.paterson at clientside.co.uk
Fri Dec 2 09:24:02 CST 2005


Hi Peter,

This is looking good. However, I'm not quite comfortable with list items
2.1 and 2.2 in the Security Considerations section yet:

1. The JEP doesn't seem to specify anywhere what the server should
return in the following case:
- the request did not specify a node
- there are other items as well as available resources
- the requesting entity is not authorized to receive presence

I guess this should be the other items only?

2. That example illustrates a second, more general, issue. If the normal
response to an 'unauthorized' user would contain items (no matter if the
request specified a node or not), then the following rule enables
directory harvesting: "the server MUST return an empty result set if the
target entity does not exist (no matter if the request specified a node
or not)".

> > 3. For my information only, why was this 'informative' phrase
inserted?
> > "although the primary use of nodes is as Items Nodes rather than as
info nodes"

Thanks,

- Ian



More information about the Council mailing list