[standards-jig] Security problems with JEP-115
dizzyd at jabber.org
Wed Sep 17 19:19:45 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
I don't quite follow why you think that 115 has anything to do with
On Wednesday, Sep 17, 2003, at 11:10 America/Denver, Jacek Konieczny
> I have just accidentally looked into JEP-115 (I was going to read it in
> some near future anyway) and found things I don't like.
> 1. For this protocol to work all clients must not lie about its
> versions. This is no good - some people don't like to tell what
> they used. jabber:iq:version could always be turned off or faked
> making any problems.
> 2. When one client lies about version or supported extension this may
> influence other users' sessions. This is A VERY BAD THING. What kind of
> security is it if I can turn some functionality off in others
> I think the idea of JEP-115 is totally wrong, but I know the intentions
> were good.
> Standards-JIG mailing list
> Standards-JIG at jabber.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
-----END PGP SIGNATURE-----
More information about the Standards