[Security] Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing
pavlix at pavlix.net
Mon Sep 1 17:13:08 CDT 2008
On Sun, 31 Aug 2008 20:47:47 +0200
Dirk Meyer <dmeyer at tzi.de> wrote:
> Peter Saint-Andre wrote:
> > Dirk Meyer wrote:
> >> Peter wants to give XEP-0189 more love, I guess this is something
> >> that should be in it. Also the user/client keys. When he is back I
> >> can work with him to add all that stuff.
> > Sure, let's do that. Or feel free to pull the XML out of SVN and
> > start working on it. :)
> I just looked at it and PEP and some other XEPs and there are some
> things I do not like. Maybe these XEPs need a small update for this
> 1. PEP says the last_item should only be send if the priority is not
> negative. But all bots have a negative priority and will never get
> the updates. Maybe an extra config option for PubSub/PEP: also send
> to negative priority?
No priority in PubSub.
"If a subscriber subscribed using a bare JID <localpart at domain.tld> and
a PEP service has appropriate presence information about the
subscriber, the PEP service MUST send one notification to the full JID
(<localpart at domain.tld/resource> or <domain.tld/resource>) of each of
the subscriber's available resources that have specified non-negative
presence priority and included XEP-0115 information that indicates an
interest in the data format."
I believe that if some resource indicates an interest, it should get
what it wants.
+1 for a change in the XEP
> 2. I like the fact that I get a notification when I start my client
> when there is a new item (if it is configured that way). But I also
> want to be notified when something was deleted (certificate
> revoked). What I would like to have is that I get a notification
> from the server that "something has changed since I was last
> online" so I can get the whole tree of certificates.
You should not need to watch deleted item. Certificates are revoked,
not deleted, revocation could be just easily announced as a new item.
> Maybe move that discussion to the pubsub list? /me needs to subscribe
> to that list, too :)
Maybe, I'm not sure.
> And something else I also added a note in my XEP proposal about the
> TLS verification: how should keys look like. XEP-0189 now uses xmldsig
> which IMHO is very complicated. People now how a keys look in PEM
> format. Maybe just use this?
Jabber & Mail: pavlix(at)pavlix.net
More information about the Security