[Council] meeting agenda, 2005-11-30
stpeter at jabber.org
Thu Dec 1 22:22:18 CST 2005
These are good questions. :-) Here are my current thoughts...
Ian Paterson wrote:
> 1. Is the behaviour described in lines 295 and 423 (see CVS diff link
> below) only for cases where bare JIDs are queried without a node? If so,
> perhaps those paragraphs should make that clear? The door will then be
> left open for future JEPs to specify different (optional) server
> behaviours when specific nodes of bare JIDs are queried. JEP-0030 could
> specify what the server should do if it receives a bare JID query for a
> node it does not understand.
The main concern for disco#items is leaking of presence information,
which could occur if a server returns data about available resources in
response to a disco#items query received from an unauthorized sender. So
I think we need to make it clear that these provisos apply only in that
case. Information about other kinds of items (let's say pubsub nodes as
Ralph mentioned in the meeting) could be safely returned. Also this
would apply only to queries that do not specify a node -- if the sender
specifies a node, then it is requesting information about things other
than the available resources for the account.
As to disco#info, the concern is directory harvesting. An untrusted
entity could query every possible JID at a domain and discover if the
account is registered.
> 2. I'd like the JEP to specify what a server should do when it receives
> a *disco#items* request for an account that does not exist from an
> entity that is not explicitly trusted (e.g., a server in a trusted
> network). To prevent directory harvest attacks that should be an empty
> result set. (I'm concerned that unless this is made explicit, some
> implementations may respond with a <service-unavailable/> error whenever
> an account doesn't exist.)
See the latest CVS diff and rendered copy:
And also the rendered version:
> 3. For my information only, why was this 'informative' phrase inserted?
> "although the primary use of nodes is as Items Nodes rather than as info
Because historically that's why we added the concept of nodes.
Jabber Software Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/council/attachments/20051201/3f151a0d/smime-0001.bin
More information about the Council