[Standards-JIG] Roster block importing and synchronisation using JEP-0093

Mike Albon mikea at yuri.org.uk
Tue Sep 14 18:33:36 UTC 2004


Thanks for the comments. :)

> >
> > This is my first stab at demonstrating the full case for using JEP-0093
> > for roster importing and syncronisation during the period of transition
> > from a legacy client to a jabber client.
> I realise I'm pointing this out to you twice now, and the first reply to  
> both our post refering to this issue wasn't till *after* you posted this  
> so it was impossible for you to incorporate this into your proposal, but  
> for people who didn't read that I'll say it again.
> A gateway can't use presence packets to remove someone from the clients  
> roster. It can only set the subscription state to "none". This is because  
> in Jabber presence subscription related task are done in the presence  
> stanza, and roster related stuff with jabber:iq:roster infoqueries. The  
> only exception to this is when you remove a contact from your roster, then  
> the *server* will make sure the subscription state of that contact will be  
> set to "none".

Ok, I may be being naive or just plain dumb, but could you illustrate
this case as I don't understand what you are driving at here. Other than
to say if there was an item on the roster, then the client would 'auto-
prune' it.

As it happens I have had a similar experience in part with people de-
registering and not unsubscribing their contacts. Each time they log in
they send lots of probe presences which I have been tempted to reply to
with an 'unsubscribed'.

> Excisting clients would need to be modified to remove "none" contacts.  
> However, I'd want that for my legacy contacts (after all this means I  
> already *have* removed them!), not Jabber contacts. So you'd need to  
> specify security rules for clients, to check for which contacts to do this  
> and which ones they should not. Or just accept that you'll have "ghosts"  
> in your list.
> Furthermore, I have a security concern. What happens I have someone  
> subscribed to my legacy contact? Currently, the transport forces you  
> through the "subscribed"-hack to have it shown in your roster that someone  
> subscribes to your status. But in your proposal you state that it's  
> allowed to not to add a contact that's send to you by JEP-0093. The  
> *least* a transport concerned with the user's security should do is keep  
> trying to ask for a subscription to the user each time the user logs in.  
> For every legacy contact in the user's legacy roster there should be at  
> least a "from" subscription to the user.
> This a concern because else you might have a user who can see your  
> presence, without you knowing it or having any way to find out about it.
> Also, JEP-0093 doesn't define what a client should do if it chooses not to  
> "accept" a contact/item in the list. I assume it does nothing, rather then  
> send unsubscribe and unsubscribed presence stanzas to it. Do you really  
> want people to know you rejected to put them on your list?

Yes, guilty as charged. Looks like I broke rule #1 - Always state your

I did assume that the unhandled items would be handled at the next login
by more prompting of the user, with a jabber:x:roster under the post
roster updating case.



More information about the Standards mailing list