[standards-jig] Security problems with JEP-115

Jacek Konieczny jajcus at bnet.pl
Tue Sep 23 09:05:06 UTC 2003

On Mon, Sep 22, 2003 at 02:26:24PM -0700, Justin Karneges wrote:
> This might work, but I think we're making everything needlessly complicated 
> for little gain.
> My proposition is the following:
> Client generates an opaque string to represent a particular persistant 
> instance of itself.  Recipients can cache this string (bound to the JID that 
> sent it), knowing that the sender might reuse it again.  The use of an opaque 
> string has the additional benefit that other "static" requests could be 
> cached (like iq:version).

I agree that this would be enough, at least in most cases. 

However, it won't work at least in one case - when client does not have
any persistent storage for cache - eg Java applet client.

Private storage could be used, but if a namespace is not standarized for
it, then each client whould duplicate the same information in the
private storage. And more space will be used if the same feature list
would be stored for each jid known.

And your proposition may be used just as simplified implementation of
my proposition - just add note that if the "feature tag" is not MD5 sum
of features than it may be reused only for the jid which generated it
(but this complicates things again :-( ).


More information about the Standards mailing list