[Standards-JIG] Re: MUC and owner getting disconnected.

Peter Saint-Andre stpeter at jabber.org
Thu Jan 13 21:23:39 UTC 2005


In article <1105647477.3826.14.camel at localhost.localdomain>,
 Jens Mikkelsen <gyldenskjold at mail.dk> wrote:

> On Thu, 2005-01-13 at 19:34, Peter Saint-Andre wrote:
> > In article <1104231587.2990.6.camel at localhost.localdomain>,
> >  Jens Mikkelsen <gyldenskjold at mail.dk> wrote:
> > 
> > > It doesn't help me though. As I need a room that must have an owner and
> > > must be restricted to whom he/her allows. ;o)
> > 
> This is because I was working on an encrypted MU-C room. (It is finished
> by the way). In the solution the server can be compromised, so it cannot
> be trusted.
> The encrypted MU-C work with symmetric encyption with one secret key
> that all members share. To distribute the key asymmetric encryption is
> used. Because the server isn't trusted, the owner keeps a local
> memberlist, so he knows who he needs to distribute keys to. (If a member
> i revoked a new key is send). If the key was distributed to all on the
> memberlist on the server, an attacker could change the memberlist.
> So if the owner were to leave the room, theres no local memberlist and
> there cannot be any key negotiation. Hence the owner question. 
> (2) is not handled on the server and cannot be, as there has to be a
> local list.
> 
> I thought about this protocol, when implementing:
> 1. An owner wants to leave the room.
> 2. He sends the memberlist to another member encrypted either with the
> symmetric key or the asymmetric key.
> 3. Owner makes this member an owner.
> 4. As members have to know who is the owner, owner broadcasts new owner.
> (signed)
> 5. Owner exits room.
> 
> This creates some practical problems though, so I went with the other
> solution. Here the client exits the room if an owner exits the room.

Ah, that sounds interesting. :-)

So what exactly happens if the owner leaves or his connection dies 
(e.g., trips over a network cable)? To leave the room gracefully, it 
seems that the owner would first destroy the room and then leave. But in 
the ungraceful case, the other users would need to leave the room on 
their own if the owner's server sends unavailable presence to the room 
when it detects that the owner has gone offline. Or did you implement 
some other solution?

Peter




More information about the Standards mailing list