[Council] Minutes 2011-03-23

Matthew Wild matthew at prosody.im
Wed Apr 6 05:18:18 UTC 2011


On 6 April 2011 11:11, Kevin Smith <kevin at kismith.co.uk> wrote:
> On Thu, Mar 24, 2011 at 2:47 PM, Kevin Smith <kevin at kismith.co.uk> wrote:
>> 3) Accept version 1.8 of XEP-0065?
>> All to vote on-list within a fortnight.
>
> I have a quibble that
> "The JIDs provided MUST be the JIDs used for the IQ exchange between
> the Requester and the Target, which MAY be full JIDs or bare JIDs ."
> could be misconstrued as saying that it's fine to choose whether to
> use the full or bare JIDs (whereas I think that what it's saying is
> that if the iqs are bare-JID, so should these JIDs be, otherwise
> full).
>

I think s/full or bare// would be fine there.

> Also, "A Proxy SHOULD monitor usage from particular Requesters and
> blacklist them if their usage is excessive." mixing normative language
> with a vague ' do something about it' seems wrong, but this is also
> non-blocking.
>

Proxied streams are bidirectional, it's possible that I open a
connection to someone else via the proxy and they flood me with data.
Who do we mark this traffic against? :)

For the other security consideration about hijacking, it only
questions for me why we don't just use dstaddr all the time (pesky
backwards compatibility... :) ). I think it is no less secure than
sending the sid and hashing at each end - anyone who captured the
stanza then already has all the data they need to produce the hash,
even if dstaddr isn't included.

Anyway, the point is that the security consideration stands today as
much as it ever did, so it's fine.

> I'm ok with publication.
>
> /K
>

+1.

Matthew


More information about the Council mailing list