[Standards-JIG] Re: pubsub: affiliations and subscriptions

Peter Saint-Andre stpeter at jabber.org
Thu Apr 6 19:25:03 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gaston Dombiak wrote:

<snip/>

(See
http://mail.jabber.org/pipermail/standards-jig/2006-February/010066.html
for context.)

> So my recommendation is to add a new attribute to the <subscribe> element 
> that specifies the JID of the entity that owns the subscription. If the 
> attribute is not specified then the JID used for the subscription is assumed 
> to be the JID that uniquely identifies the entity. This idea should also 
> work well for previous versions.
> 
> Examples of how this may work.
> 
> Example 1. Entity subscribes to a node (entity JID = subscription JID)
> <iq type='set'
>     from='francisco at denmark.lit/barracks'
>     to='pubsub.shakespeare.lit'
>     id='sub1'>
>   <pubsub xmlns='http://jabber.org/protocol/pubsub'>
>     <subscribe
>         node='blogs/princely_musings'
>         jid='francisco at denmark.lit'/>
>   </pubsub>
> </iq>
> 
> Example 2. Entity subscribes to a node (entity JID that owns the 
> subscription is made explicit)
> <iq type='set'
>     from='francisco at denmark.lit/barracks'
>     to='pubsub.shakespeare.lit'
>     id='sub1'>
>   <pubsub xmlns='http://jabber.org/protocol/pubsub'>
>     <subscribe
>         node='blogs/princely_musings'
>         owner='francisco at denmark.lit'
>         jid='francisco at denmark.lit/PDA'/>
>   </pubsub>
> </iq>

The issue here is non-IM applications, where the concept of barejid does
not apply. So something like this seems better:

<iq type='set'
    from='francisco at denmark.lit/barracks'
    to='pubsub.shakespeare.lit'
    id='sub1'>
  <pubsub xmlns='http://jabber.org/protocol/pubsub'>
    <subscribe
        node='blogs/princely_musings'
        jid='francisco at denmark.lit/PDA'
        barejid='true'/>
  </pubsub>
</iq>

In other words, consider the bare JID to be the "owner" for subscription
tracking purposes. This attribute would default to "true" for backwards
compatibility.

> A pubsub service that is not very concerned about security might allow the 
> owner to have a different bare JID to the subscription bare JID. This 
> scenario might be useful for users that have different accounts in many 
> servers. 

No no no. This would be a major security problem.

> But the JEP may recommend that pubsub services should validate that 
> the bare JID of the owner should match the bare JID of the subscription JID.

Not SHOULD, MUST.

Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFENWsONF1RSzyt3NURAvWeAKCs5VtVGQgtFmTb5yLZsW0BiBZMsgCg6O2C
hpg8fE9B47+TwvvqbEfD+qM=
=AWBs
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060406/7ecd559f/attachment.bin>


More information about the Standards mailing list