[JDEV] Discussion of transports?

Andrew Sayers andrew-list-jabber-jdev at ccl.bham.ac.uk
Sun Sep 28 11:59:50 CDT 2003

Hash: SHA1

On Wed, Sep 24, 2003 at 04:04:37 -0600, Joe Hildebrand wrote:
> Even if you allowed transports to do this, there should probably be an
> access-control check.  I can't think of a good (secure) way to do that such
> that I can be a user on server A, and access a transport running on server
> B.

What insecurities are you thinking of?  If you can't trust the path
between your client and your transport, you have bigger problems than
roster pushes.

> Aside from the S2S thing, you could get there with today's servers by having
> the transport start a session on behalf of the user, retrieve the roster,
> and then do roster sets/presence subscribes.  The roster pushes would then
> happen automatically to other sessions.

Well, this can only be done *properly* by modifying servers or clients.
It seems to me that modifying the server is preferable because there are
less server implementations to modify, because Jabber clients are
generally expected to be quite thin, and because Jabber servers are
already involved in pushing roster items.

	- Andrew
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: The following is method of proving my identity.  For more information, see http://www.gnupg.org.  E-mail {andrew-go-away at ccl.bham.ac.uk} if you don't want this.


More information about the JDev mailing list