[standards-jig] Security problems with JEP-115

Justin Karneges justin-jdev at affinix.com
Sun Sep 21 22:44:37 UTC 2003


On Sunday 21 September 2003 02:22 pm, Peter G. Millard wrote:
> Justin Karneges wrote:
> > Perhaps version strings should be consistent only on a
> > per-installation basis, not per-client.  And the string should be
> > associated with the JID that sent it, so that one JID cannot speak
> > for another.
> >
> > This would mean that we'd lose out on the optimization of minimizing
> > requests to the same client software, but I don't think this a huge
> > loss, as it is probably less than 1% of the bandwidth saved out of
> > the total that JEP-115 provides.
>
> Um, this is kind of the whole point to JEP-115. To eliminate the
> mass-duplication when I have 20 Psi users on my roster and I have disco all
> of them. If we eliminate the optimizations, then we're basically back to
> sending everyone in my roster a disco request, which is precisely what
> we're trying to eliminate.

Well, the original point was to not flood the network during logins or when 
new contacts become available.  Sure, if we eliminate the client-version 
optimization, you would end up having to query all 20 of those Psi users, but 
this would only be a one-time deal.  The 'bulk' of the bandwidth savings 
would remain, which is that you wouldn't query any of these users again until 
they upgrade and/or change clients.  Those 19 extra requests that you did on 
day 1 are of little concern, IMO.

-Justin



More information about the Standards mailing list