[Security] rfc3920bis - "from" attribute in the stream header
stpeter at stpeter.im
Sat Feb 21 16:11:03 CST 2009
Justin Karneges wrote:
> On Saturday 21 February 2009 13:36:30 Peter Saint-Andre wrote:
>> I had not considered that "attack", so I will change the text to SHOULD
>> or MAY (or remove it entirely). I don't think that any server
>> implementations depend on the 'from' address of the initial stream
>> header, so removing this text will not cause any problems.
> For what it's worth, SASL and iq:auth give away the identity already. The
> only way this information was ever protected is through the use of TLS.
> So, it may be enough to suggest that, if you plan to use TLS, the 'from'
> attribute should not be populated until the <stream> following TLS
> negotiation. Though I don't know if that's really practical (for example,
> you leave it out, but then the server doesn't offer starttls, oops).
Right. But nothing breaks at that point because AFAIK the server doesn't
depend on the 'from'.
> What is the reason for this attribute? My guess is that it would allow a
> server to offer SASL mechanisms specific to the initiating user, which
> coincidentally I mentioned earlier today: http://forum.psi-im.org/thread/5257
> (but I don't know if that's true at all).
Yes, that was the idea. But it can do that after the TLS negotiation has
completed. It's always best to use TLS anyway, right? ;-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20090221/bd127fad/attachment.bin
More information about the Security