[standards-jig] gateway handling of legacy contact lists

maqi at jabberstudio.org maqi at jabberstudio.org
Wed Dec 17 00:28:02 UTC 2003


On Tue, 16 Dec 2003, Matthias Wimmer wrote:

>>>If it's just a portion, how do you denote that?
>> Only roster items of which the host portion of their address equals the
>> service's address.  For example: someone at yahoo.example.com
> Then the admin of example.com gets access to all your roster items that
> belong to users on example.com.

No. My server denies access attempts as there is no authorized transport
with JID "example.com" on my roster (the second security measure I
mentioned).

The admin of yahoo.example.com could change roster entries matching
*@yahoo.example.com on my server (as long as I'm registered with the
yahoo.example.com transport), that's all. I don't see a security hole
here.

Regards



More information about the Standards mailing list