[Security] rfc3920bis - "from" attribute in the stream header

Peter Saint-Andre stpeter at stpeter.im
Sat Feb 21 16:11:03 CST 2009


Justin Karneges wrote:
> On Saturday 21 February 2009 13:36:30 Peter Saint-Andre wrote:
>> I had not considered that "attack", so I will change the text to SHOULD
>> or MAY (or remove it entirely). I don't think that any server
>> implementations depend on the 'from' address of the initial stream
>> header, so removing this text will not cause any problems.
> 
> For what it's worth, SASL and iq:auth give away the identity already.  The 
> only way this information was ever protected is through the use of TLS.

Correct.

> So, it may be enough to suggest that, if you plan to use TLS, the 'from' 
> attribute should not be populated until the <stream> following TLS 
> negotiation.  Though I don't know if that's really practical (for example, 
> you leave it out, but then the server doesn't offer starttls, oops).

Right. But nothing breaks at that point because AFAIK the server doesn't
depend on the 'from'.

> What is the reason for this attribute?  My guess is that it would allow a 
> server to offer SASL mechanisms specific to the initiating user, which 
> coincidentally I mentioned earlier today: http://forum.psi-im.org/thread/5257
> (but I don't know if that's true at all).

Yes, that was the idea. But it can do that after the TLS negotiation has
completed. It's always best to use TLS anyway, right? ;-)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20090221/bd127fad/attachment.bin 


More information about the Security mailing list