[Standards-JIG] proposed In-Band Registration revisions

Vinod Panicker vinod.p at gmail.com
Thu Dec 8 17:49:41 UTC 2005


On 12/8/05, JD Conley <jd.conley at coversant.net> wrote:

<snip/>

> Welcome to the club. :) With our implementation we do remove all
> remnants of the user on an unregister, including any roster entries and
> subscriptions.

OK... considering a hypothetical scenario (which all of you must be
sick of by now)

1 - a at a.com unregisters herself from the server
2 - a.com removes a at a.com from all the rosters
3 - b at b.com has his girlfriend a at a.com in his roster
4 - when a.com is deleting roster entries for a at a.com, b.com is facing
a network outage, so the presence stanza doesnt get thru
5 - result is that b at b.com still sees a at a.com in his roster
6 - the next day, b at b.com's wife snaps up the address a at a.com since it
is so coveted and logs in
7 - b at b.com sends some naughty messages to a at a.com (he doesn't see her
presence since the presence probe would result in an error ofc)
totally exposing his identity
8 - b at b.com gets bobitted (worst case scenario :))

Maybe this is why I'm so afraid of unregistrations :)

Regards,
Vinod.



More information about the Standards mailing list