[Security] Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing

Peter Saint-Andre stpeter at stpeter.im
Wed Sep 3 21:13:38 CDT 2008


Dave Cridland wrote:
> On Mon Sep  1 23:13:08 2008, Pavel Simerda wrote:
>> On Sun, 31 Aug 2008 20:47:47 +0200
>> Dirk Meyer <dmeyer at tzi.de> wrote:
>>
>> > Peter Saint-Andre wrote:
>> > > Dirk Meyer wrote:
>> > >> Peter wants to give XEP-0189 more love, I guess this is something
>> > >> that should be in it. Also the user/client keys. When he is back I
>> > >> can work with him to add all that stuff.
>> > >
>> > > Sure, let's do that. Or feel free to pull the XML out of SVN and
>> > > start working on it. :)
>> >
>> > I just looked at it and PEP and some other XEPs and there are some
>> > things I do not like. Maybe these XEPs need a small update for this
>> > use-case.
>> >
>> > 1. PEP says the last_item should only be send if the priority is not
>> >    negative. But all bots have a negative priority and will never get
>> >    the updates. Maybe an extra config option for PubSub/PEP: also send
>> >    to negative priority?
>>
>> http://www.xmpp.org/extensions/xep-0060.html#filtered-notifications
>>
>> No priority in PubSub.
>>
>> In PEP:
>>
>> "If a subscriber subscribed using a bare JID <localpart at domain.tld> and
>> a PEP service has appropriate presence information about the
>> subscriber, the PEP service MUST send one notification to the full JID
>> (<localpart at domain.tld/resource> or <domain.tld/resource>) of each of
>> the subscriber's available resources that have specified non-negative
>> presence priority and included XEP-0115 information that indicates an
>> interest in the data format."
>>
>> I believe that if some resource indicates an interest, it should get
>> what it wants.
>>
>> +1 for a change in the XEP
>>
>> > 2. I like the fact that I get a notification when I start my client
>> >    when there is a new item (if it is configured that way). But I also
>> >    want to be notified when something was deleted (certificate
>> >    revoked). What I would like to have is that I get a notification
>> >    from the server that "something has changed since I was last
>> >    online" so I can get the whole tree of certificates.
>>
>> You should not need to watch deleted item. Certificates are revoked,
>> not deleted, revocation could be just easily announced as a new item.
>>
>> > Maybe move that discussion to the pubsub list? /me needs to subscribe
>> > to that list, too :)
>>
>> Maybe, I'm not sure.
> 
> I'm sure. Copied. :-)
> 
> I (or someone) will report back with whatever it was that ended up being 
> decided; in the meantime, assume that from a protocol perspective, we'll 
> find a solution.

I provisionally modified XEP-0163 to remove the prohibition on sending 
to negative resources. The next Council will need to approve that change 
because XEP-0163 has a status of Draft. I assume that the incoming 
Council Chair will handle that somehow. :)

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080903/d203acb0/attachment.bin 


More information about the Security mailing list