[Standards-JIG] NEW: JEP-0140 (Shared Groups)

maqi at jabberstudio.org maqi at jabberstudio.org
Thu Jul 29 14:29:59 UTC 2004


On Thu, 29 Jul 2004, Ian Paterson wrote:

>> "It is the receiving application's responsibility to add the
>> newly-published roster item to the recipient's roster" - if the client
>> really directly inserts contacts distributed via PubSub into the user's
>> roster, this is a problem as any malicious server can insert arbitrary
>> contacts then (as there's no way for a client to check whether the users
>> is really subscribed to a pubsub node).
> Good point. Do we need a new JEP that specifies how clients can maintain
> a list of servers that their user trusts to *automatically* process
> pubsub <event/> elements?

While perhaps some kind of security JEP would be nice, on the one hand I'd
rather like this to be more generic and also support server-side
processing ("Your server was instructed by someone.jabber.net to add a new
user to your roster, do you want to grant this priviledge?
(Yes/No/Always/Never)"). On the other hand, for a rather basic thing such
as shared roster groups I'd like the shared group mechanism not to rely on
any client extensions at all. mod_groups didn't need them either.

>> (even prepopulated rosters can't be done with it).
> How about a new 'PubSub Node Exchange' JEP that specifies how to send a
> pubsub node to another entity (similar to the way JEP-93 Roster Exchange
> allows a roster item to be sent to another entity)? Of course it would still
> be the responsability of the receiving client to subscribe the user to the
> node and request all active items.

I don't see the point then?

> How does JEP-93 solve the security problems?

Clients implementing JEP-0093 typically ask the user what contacts to add
from the list of contacts they received.

> As you pointed out, JEP-140 doesn't cover everything yet, but it already
> solves several of the central-administration issues (e.g. persistent central
> storage).

I don't see this. Imagine the corporate use case. With JEP-0140, the admin
needs to setup the account and instruct the user to subscribe to a pubsub
node for roster contacts (or do it himself). Without JEP-0140, the admin
can setup the account, add it to his list of "active accounts" and send
JEP-0093 packets whenever there are new users. So there's almost nothing
to be gained by using JEP-0140 (it even requires the users to use a
JEP-0060 and JEP-0140-capable client) that can't be achieved with
JEP-0093.

In contrast, for private use JEP-0140 could be nice. But then again, I
can't imagine what "contact pubsub nodes" could be of interest for me
especially as for finding new contacts search and other mechanisms are
better suited.

> It also has the significant advantage of being built on a fundamental
> protocol building block (pubsub).

What clients implement pubsub?

Regards



More information about the Standards mailing list