[Standards-JIG] proto-JEP: Roster Item Exchange

Tijl Houtbeckers thoutbeckers at splendo.com
Thu Sep 16 21:44:47 UTC 2004


On Thu, 16 Sep 2004 12:59:58 -0500 (CDT), JEP Editor <editor at jabber.org>  
wrote:

> The JEP Editor has received a proposal for a new JEP.
>
> Title: Roster Item Exchange
>
> Abstract: This JEP defines a protocol for exchanging roster items,  
> including the ability to suggest whether the item is to be added,  
> deleted, or modified.
>
> URL: http://www.jabber.org/jeps/inbox/xroster.html
>
> In accordance with JEP-0001, the Jabber Council will decide within 7  
> days whether to accept this proposal as an official JEP.

Okay, let's look at this a bit mostly from the roster-subsync prespecrive

Roster-subsync requires one can do more "actions", namely the different  
subscription states ("both, none, to, from") and removal ("remove"). These  
also happen to be all the different values allowed for the "subscription"  
property in <item/>. However the JEP for some reason wishes to stay clear  
of.. well.. at least part of subscriptions.

Still if you just use that, you can also drop "action" property, which is  
near next to useless anyway. How is a sending entity supposed to know who  
is or is not in my roster, thus how does it know wether to suggest "add"  
or "modify"? What should a client do when it's gets a "modify" request for  
a deleted item?

When it comes to security, in roster-subsync the sending enity can only  
manipulate it's *own* data. In xroster any item in your roster can be  
manipulated. I understand that this is because rosterx must has more  
use-cases than roster-subsync (particullary Shared Groups), still this  
should not be overlooked. I think in security considerations the concept  
of granting trust only for a certain domain should be introduced as a  
concept.

As for the "per" group trust. What does this mean? Can you delete anyone  
in that group from the roster? Or just throw them out of that group? For  
example what happens if I have a contact that wasn't in any group before,  
then gets "suggested" to be added or modfified to a group (for which I  
give the entity permisson to modify that group), and then removed?









More information about the Standards mailing list