[Standards] Re: [jdev] XEP-0115: Entity Capabilities

Joe Hildebrand hildjj at gmail.com
Thu Jun 28 17:19:11 CDT 2007

For those not on the standards list, see my suggestion here:

On Jun 27, 2007, at 12:31 AM, Sergei Golovan wrote:

> On 6/27/07, Joe Hildebrand <hildjj at gmail.com> wrote:
>> On Jun 27, 2007, at 5:53 AM, Sergei Golovan wrote:
>> > I would consider this XEP dangerous and wouldn't like to  
>> implement it
>> > in Tkabber. It's too easy for malicious user to flood all contacts
>> > (and not only in his roster) by false information about all clients
>> > and versions he wants.
>> >
>> > I think that one never should apply info received from some user to
>> > other users.
>> Please bring this up on the standards list if you want to talk about
>> it again, but this point has been beaten to death, I think.
> And the only result of these discussions is a really small note in
> 'Security consideration' section. Which really does cover a small
> portion of possible security concerns. I could imagine for example an
> attack on future software versions (where the victim can't check the
> correctness of capabilities because there's no other sources of
> information).
>> You can always just query each user independently if you like; you
> I think that the XEP must not recommend to cache capabilities based
> only on reported software name and version. The more acceptable index
> is a tuple {jid, client name, client version}.
>> only need to check it against the cache to look for disagreement, not
>> cache each one separately.
> See the idea of an attack above.
> -- 
> Sergei Golovan

More information about the JDev mailing list