[Standards-JIG] jep-secure updated
justin-keyword-jabber.093179 at affinix.com
Thu Mar 18 19:50:02 UTC 2004
I've added a <window> field to the sender now, so that the timeframe is no
longer a hard coded value. This was mainly to experiment with the idea of
having a very large window.
But now I think I have discovered a hole in the replay protection regarding
offline messages. If the timestamp of the last secure message of a session
is within X/2 time of the previous such session timestamp, then any offline
messages stamped within that timeframe could be replayed. For small windows,
this risk is minimal, but for large windows it becomes more apparent. What
we need is a solution that has zero risk no matter what the window size is.
On Wednesday 17 March 2004 7:23 pm, Justin Karneges wrote:
> Alright, I've updated the JEP according to all of the latest discussion.
> Standards-JIG mailing list
> Standards-JIG at jabber.org
More information about the Standards