[Council] XEP-0185 feedback

Ian Paterson ian.paterson at clientside.co.uk
Thu Feb 1 13:02:52 CST 2007


Peter Saint-Andre wrote:

> I chatted with Philipp Hancke (the spec author) and we think it's 
> probably best to simply remove Section 4 of XEP-0185. Objections?

I think it's educational. That's important for this XEP - since there 
are no incompatability issues to keep developers on the straight and 
narrow. So anyone can decide to do their own thing (all too common with 
crypto code). We can't stop that, but we can at least help them avoid 
the obvious mistakes.

I'm also interested in 4.1 (why the Originating Server needs to be 
included). :-)

>> Perhaps I've not understood, but I don't find section 4.1 very 
>> convincing. Am I supposed to? I guess it doesn't matter, including 
>> the Originating Server can't hurt, and with security it's always 
>> better to be conservative.
> I think 4.1 could be improved to describe why it might not be good for 
> the originating server to reveal that it uses the same secret for two 
> virtual domains.

- Ian



More information about the Council mailing list