[Foundation] Last Minute JEP 78 Concerns

Peter Saint-Andre stpeter at jabber.org
Fri May 23 10:20:49 CDT 2003


On Thu, May 22, 2003 at 02:25:58PM -0700, Evan Prodromou wrote:
> >>>>> "CM" == Chris Mullins <cmullins at winfessor.com> writes:
> 
>     CM> Is this something worth fixing before anyone else implements
>     CM> the JEP?
> 
> "before anyone else implements the JEP"? Doesn't everyone _already_
> implement this JEP? B-)
> 
> Since JEP-0078 documents the existing jabber:iq:auth namespace, it
> doesn't seem to make much sense to enhance it to be more secure. I'd
> prefer to see this kind of thing addressed in the XMPP SASL
> authentication instead.

If you look at how jabber:iq:auth is implemented today (e.g., by the
jabberd server), you will note that the response to an IQ get with an
invalid username is indeed a 401 error. I agree that this provides a
malicious user or script with the ability to discover which usernames
are in use. I'm not as sure about the right way to fix this, but I think
the JEP should say that a server implementation may return an error (as
implementations do now) or an IQ result with the fields to fill out
(i.e., treating the username as valid), but must return one or the
other.

Thoughts?

Peter

P.S. Moving this thread to Standards-JIG, please reply there.



More information about the Members mailing list