[Operators] Attacks/Threats and related config attributes

Wayne Mac Adams waynemacadams at gmail.com
Fri Nov 6 05:05:52 CST 2009


Thanks for the responses.

XEP-0205 talks about ranges because there are different deployment
scenarios. The threats faced by an XMPP instant messaging service on the
open Internet are different from those faced by an IM service on a
company intranet. Similarly, an XMPP-based service that is not quite so
open-ended (say, FireEagle or BuddyCloud for location data) probably
faces yet other threats. Multi-user chatrooms are attacked in ways that
are uncommon for single user accounts. And so on. It is hard to
generalize about all possible XMPP services. Perhaps you can provide
information about the "profile" you're most interested in?

Peter


Sorry, perhaps I should have been more detailed.

I wouldn't say there's a specific profile in terms of open Internet/closed
intranet etc.
What I'm interested in is server federation. The idea is to use Trust
management (eg. Keynote, SecPal etc.) to mediate federation of the servers.
If a server S1, can prove to a server S2 that it is trusted(via a series of
Trust management credentials) then it will be allowed access.
So the reason I am interested in the types of threats and configuration
attributes related to them is so I can design the Trust management
credentials. For example, S1 is concerned about DOS attacks, S2 makes a
request to connect to S1 and has a credential saying "Server 2 is properly
configured against DOS attacks" and perhaps a few others indicating S2 isn't
a rogue server etc., if the trust mangement system deems, that based on
these credentials, that S1 trusts S2 then S2 will then be allowed to connect
with S1.

You may want to offer to give people a heads up on the research you do
BEFORE making any finding public so that they can rectify any 'issues' and
you should also offer to give people who help you out a full copy of your
research.

This way you'll get more people willing to help as they will be getting
something useful in return.

regards,

David.

Thanks for the suggestion, I will indeed make anything I find public,
although I am not really trying to find anything new, rather document
existing threats and credentials and translate them into trust management
credentials but I will share what I come up with. And I will also give a
full copy of my research to anyone who offers to help.

Thanks,Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20091106/4d9a0ac8/attachment.htm>


More information about the Operators mailing list