[Standards-JIG] Summary of roster proposal points

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Tue Sep 7 07:28:04 UTC 2004


On Monday 06 September 2004 11:58 pm, James Bunton wrote:
> the other one that was proposed is no better. The idea with letting
> gateways modify your roster directly is just plain bad, the reason the
> <presence type="subcribed"/> is not allowed by XMPP (before subscribe)
> is to prevent this modification of users' rosters without permission.
> Lets not bring it back in a new form! If we start using this idea, which
> is really more of a hack than my proposal, then we're going to have even
> more problems down the line, when servers start disallowing gateway
> access to users' rosters (as they should)

The user would have granted access to the remote entity.  This is no better or 
worse, security-wise, than your proposal.  The reason doing it through the 
server is the "right" way, is because it centralizes the permissions, and 
doesn't change any of the roster handling rules from a client perspective.

Allowing any subscribed JID to modify your roster is totally not what I was 
suggesting.  The only JIDs allowed to touch your roster would be those that 
you've explicitly granted permission to do so, via a specific element in 
iq:register (like <grant-roster-permission/> or something).

-Justin




More information about the Standards mailing list