[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Evan Prodromou evan at prodromou.san-francisco.ca.us
Fri May 23 17:44:45 UTC 2003

>>>>> "PS" == Peter Saint-Andre <stpeter at jabber.org> writes:

    PS> If you look at how jabber:iq:auth is implemented today (e.g.,
    PS> by the jabberd server), you will note that the response to an
    PS> IQ get with an invalid username is indeed a 401 error. I agree
    PS> that this provides a malicious user or script with the ability
    PS> to discover which usernames are in use.

    PS> I'm not as sure about the right way to fix this, but I think
    PS> the JEP should say that a server implementation may return an
    PS> error (as implementations do now) or an IQ result with the
    PS> fields to fill out (i.e., treating the username as valid), but
    PS> must return one or the other.

So, I guess I'm just still scratching my head over this.

JEP-0078 documents the current jabber:iq:auth behavior, so that new
implementations of clients and servers can be backwards-compatible
with SASL-ignorant partners, right?

If that's the case, I don't see why it would make sense to 'fix' the
protocol. The protocol should be documented as it stands, with a
security note documenting the flaw.

I guess I see the goal of JEP 78 less as 'fixing jabber:iq:auth' than
'documenting existing jabber:iq:auth'.


Evan Prodromou
evan at prodromou.san-francisco.ca.us

More information about the Standards mailing list