[standards-jig] Security problems with JEP-115

Justin Karneges justin-jdev at affinix.com
Mon Sep 22 21:26:24 UTC 2003


On Sunday 21 September 2003 11:55 pm, Jacek Konieczny wrote:
> My proposition is following:
>
> client would concatenate category/type information and all supported
> namespaces (both sorted alphabetically first) and compute MD5 hash of
> resulting string.
>
> The MD5 hash would be announced in <presence/> stanzas as "feature tag".

This might work, but I think we're making everything needlessly complicated 
for little gain.

My proposition is the following:

Client generates an opaque string to represent a particular persistant 
instance of itself.  Recipients can cache this string (bound to the JID that 
sent it), knowing that the sender might reuse it again.  The use of an opaque 
string has the additional benefit that other "static" requests could be 
cached (like iq:version).

KISS.

-Justin



More information about the Standards mailing list