[Standards-JIG] proposed In-Band Registration revisions

David Sutton jabber at dsutton.legend.uk.com
Thu Dec 8 18:47:10 UTC 2005


  I would say that the issue here isn't with unregistering, persay, but
how the client handled the error received from the presence probe.



On Thu, 2005-12-08 at 23:19 +0530, Vinod Panicker wrote:
> On 12/8/05, JD Conley <jd.conley at coversant.net> wrote:
> <snip/>
> > Welcome to the club. :) With our implementation we do remove all
> > remnants of the user on an unregister, including any roster entries and
> > subscriptions.
> OK... considering a hypothetical scenario (which all of you must be
> sick of by now)
> 1 - a at a.com unregisters herself from the server
> 2 - a.com removes a at a.com from all the rosters
> 3 - b at b.com has his girlfriend a at a.com in his roster
> 4 - when a.com is deleting roster entries for a at a.com, b.com is facing
> a network outage, so the presence stanza doesnt get thru
> 5 - result is that b at b.com still sees a at a.com in his roster
> 6 - the next day, b at b.com's wife snaps up the address a at a.com since it
> is so coveted and logs in
> 7 - b at b.com sends some naughty messages to a at a.com (he doesn't see her
> presence since the presence probe would result in an error ofc)
> totally exposing his identity
> 8 - b at b.com gets bobitted (worst case scenario :))
> Maybe this is why I'm so afraid of unregistrations :)
> Regards,
> Vinod.
David Sutton <jabber at dsutton.legend.uk.com>

More information about the Standards mailing list