[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Wed Aug 20 11:37:26 CDT 2008

Peter Saint-Andre <stpeter at stpeter.im> wrote:

> So configure your client to prefer messages. Done.

Isn't it determined by the sender whether IQ or Message is used?
For encryption, we should enforce message IMO. I already had the case
that the caps for me were wrong. I was in a session and changed
the resource, however without the remote client noticing, so the remote
end wrote me and got XEP-0184 warnings. But I never noticed. It took
a while for him to figure out it was the session that caused the
problems and to disable it. But I never noticed anything of that. I
could have said "Uhm, I just got something from our last session here
in a client that doesn't support ESessions" and there wouldn't have
been a problem at all.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/c6f6f955/attachment.pgp 

More information about the Security mailing list