[standards-jig] Security problems with JEP-115

Jacek Konieczny jajcus at bnet.pl
Thu Sep 18 07:32:55 UTC 2003


On Wed, Sep 17, 2003 at 01:41:22PM -0600, Peter Millard wrote:
> Jacek Konieczny wrote:
> > I think the idea of JEP-115 is totally wrong, but I know the intentions
> > were good.
> 
> When you shoot something down.. it's most constructive to offer some kind of
> alternative. 

IHMO it is better to no nothing, that do something very bad.

>What do you propose to do? 

I think it would be better if client whould announce real feature list
in their presence (although I don't like announcing anything that is not
presence/availability in <presence/> stanza) than some hint which can be
used to use information from other client. Asking some client for
features of another client is not good. Of course regular disco reply is
much to large for announcing in <presence/>, but if it would be reduced
to some kind of bitmask (values whould have to be registered in JR) then
the <presence/> packet whould not be much bigger than those proposed by
JEP-115.

Other solution would be not to ask random client, but some entity
pointent by the <presence/> packet. This could be some jabber entity
or eg. HTTP URL.

Greets,
	Jacek



More information about the Standards mailing list