[Standards-JIG] Re: Proposal for a solution to transport rosters

Matthias Wimmer m at tthias.net
Mon Sep 6 09:22:18 UTC 2004


Hi!

maqi at jabberstudio.org schrieb am 2004-09-05 13:40:58:
> > I don't understand why modifying the server would be useful.
> Because we don't need to modify the clients then ;-).

Sure ... but allowing this on the server is just a hack again. You know
that I even don't like your hack with that JIT "imports" the nickname of
an ICQ contact to the servers roster.

I even expect that modifying clients will take effect much sooner. By
modifying the server you have to convince each server administrator to
update the server software and you have to implement the feature to
different server implementations as well.
With a client modification it is only the user, that want's the feature,
that has to update his client. If the user wants the feature he will be
for sure willing to update his client, much more likely than the server
administrator will update his server.

Jabber's concept of isolating the proprietary IM protocols from the
clients means, that a client does not have to be updated, if AOL, MSN,
Yahoo, ... are changing their protocols ... it does _not_ mean that we
have to implement _new_ features in a way that clients don't have to be
updated.

> > The user needs to give permission for the roster import to go ahead
> Typically, a user already expresses his trust in a transport as soon as he
> acks the transport's subscription request. Even in the case the user
> accidentally accepted a subscription request of a malicious server, the
> real damage this server can do then is about zero as it only can
> insert/remove contacts with the malicious server's host JID part. There
> are simpler ways to annoy Jabber users ;-).

You should know that the server does not know which entities on the
Jabber network are transports and even more it does not know which
transports a user has registered. Even if the server would intercept
jabber:iq:register queries it can not know, that the entity is a
transport and the user registered with it. E.g. it could also be that
the user send a jabber:iq:register query to a conferencing server to
just register a nickname there.


Tot kijk
    Matthias

-- 
Fon: +49-(0)70 0770 07770       http://web.amessage.info
HAM: DB1MW                      xmpp:mawis at amessage.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20040906/56d75400/attachment.sig>


More information about the Standards mailing list