[standards-jig] Security problems with JEP-115

Peter G. Millard me at pgmillard.com
Sun Sep 21 21:22:04 UTC 2003

Justin Karneges wrote:
> Perhaps version strings should be consistent only on a
> per-installation basis, not per-client.  And the string should be
> associated with the JID that sent it, so that one JID cannot speak
> for another.
> This would mean that we'd lose out on the optimization of minimizing
> requests to the same client software, but I don't think this a huge
> loss, as it is probably less than 1% of the bandwidth saved out of
> the total that JEP-115 provides.

Um, this is kind of the whole point to JEP-115. To eliminate the
mass-duplication when I have 20 Psi users on my roster and I have disco all
of them. If we eliminate the optimizations, then we're basically back to
sending everyone in my roster a disco request, which is precisely what we're
trying to eliminate.


More information about the Standards mailing list