[Security] rfc3920bis - "from" attribute in the stream header

Justin Karneges justin at affinix.com
Sat Feb 21 16:07:51 CST 2009


On Saturday 21 February 2009 13:36:30 Peter Saint-Andre wrote:
> I had not considered that "attack", so I will change the text to SHOULD
> or MAY (or remove it entirely). I don't think that any server
> implementations depend on the 'from' address of the initial stream
> header, so removing this text will not cause any problems.

For what it's worth, SASL and iq:auth give away the identity already.  The 
only way this information was ever protected is through the use of TLS.

So, it may be enough to suggest that, if you plan to use TLS, the 'from' 
attribute should not be populated until the <stream> following TLS 
negotiation.  Though I don't know if that's really practical (for example, 
you leave it out, but then the server doesn't offer starttls, oops).

What is the reason for this attribute?  My guess is that it would allow a 
server to offer SASL mechanisms specific to the initiating user, which 
coincidentally I mentioned earlier today: http://forum.psi-im.org/thread/5257
(but I don't know if that's true at all).

-Justin


More information about the Security mailing list