[Council] meeting agenda, 2005-11-30

Peter Saint-Andre stpeter at jabber.org
Thu Dec 1 22:22:18 CST 2005


Hi Ian,

These are good questions. :-) Here are my current thoughts...

Ian Paterson wrote:

> 1. Is the behaviour described in lines 295 and 423 (see CVS diff link
> below) only for cases where bare JIDs are queried without a node? If so,
> perhaps those paragraphs should make that clear? The door will then be
> left open for future JEPs to specify different (optional) server
> behaviours when specific nodes of bare JIDs are queried. JEP-0030 could
> specify what the server should do if it receives a bare JID query for a
> node it does not understand.

The main concern for disco#items is leaking of presence information, 
which could occur if a server returns data about available resources in 
response to a disco#items query received from an unauthorized sender. So 
I think we need to make it clear that these provisos apply only in that 
case. Information about other kinds of items (let's say pubsub nodes as 
Ralph mentioned in the meeting) could be safely returned. Also this 
would apply only to queries that do not specify a node -- if the sender 
specifies a node, then it is requesting information about things other 
than the available resources for the account.

As to disco#info, the concern is directory harvesting. An untrusted 
entity could query every possible JID at a domain and discover if the 
account is registered.

> 2. I'd like the JEP to specify what a server should do when it receives
> a *disco#items* request for an account that does not exist from an
> entity that is not explicitly trusted (e.g., a server in a trusted
> network). To prevent directory harvest attacks that should be an empty
> result set. (I'm concerned that unless this is made explicit, some
> implementations may respond with a <service-unavailable/> error whenever
> an account doesn't exist.)

See the latest CVS diff and rendered copy:

http://jabberstudio.org/cgi-bin/viewcvs.cgi/cvs/jeps/0030/jep-0030.xml?r1=1.67&r2=1.72

And also the rendered version:

http://www.jabber.org/jeps/tmp/jep-0030-2.2.html

> 3. For my information only, why was this 'informative' phrase inserted?
> "although the primary use of nodes is as Items Nodes rather than as info
> nodes"

Because historically that's why we added the concept of nodes.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/council/attachments/20051201/3f151a0d/smime-0001.bin


More information about the Council mailing list