[Standards-JIG] JEP-163 (SPPS) comments

Kevin Smith kevin at kismith.co.uk
Mon Jan 30 21:52:57 UTC 2006

On 30 Jan 2006, at 21:20, Joe Hildebrand wrote:
>>> For all three of these, I think the "MUST allow" should be  
>>> "SHOULD allow", to account for other potential access controls  
>>> that the server may know.  One example might be ethical  
>>> boundaries enforced by a policy engine.
>> Can you give an example? I'm keen on spps staying as simple and  
>> well defined as possible and only allowing doubt where absolutely  
>> necessary.
> Hal nailed it in his reply.
In the case of government agencies restricting the flow of data,  
we're not really talking about avatars and user tunes are we? I'd  
argue that more complex access rules for more complex use cases are  
into the domain of full pub-sub and that the simple pubsub jep should  
be kept uncomplicated :)

>>> Is there a way to get notified of new nodes, perhaps by calling  
>>> the bare jid a collection node, and subscribing with subscription  
>>> type nodes?
>> Why is this interesting? Entity caps could be used to signal new  
>> features I think, meaning the creation of nodes shouldn't need to  
>> be signalled.
> As Maciek alluded to, Entity caps are a client-side thing, and SPPS  
> is server-side.  There's no way to get notified of a new node's  
> worth of presence for a person without allowing collection subs.

It's client-side, but we're talking about client-side features aren't  
we? The server is the medium, but it's the client with the features.  
I guess I don't see what's interesting about a node creation in  
itself, unless it's linked to a feature we care about.

>>> As for security considerations, the attack modes seem to be based  
>>> on from address spoofing, which we've got handled.  It might be  
>>> worth pointing out that ACL's SHOULD be recalculated whenever an  
>>> applicable roster item is modified, to ensure coherency.
>> I'm not sure what you mean, is this the same as saying ACLs must  
>> be verified for every push? If so, I agree.
> Hm.  It's a perf question which of them you use.  Maybe just an  
> admonition to recalculate whenever "needed", up to and including  
> for each push and subscribe.
Sorry, badly worded, I meant that the end result is equivalent.


Kevin Smith
Psi Jabber client maintainer (http://psi-im.org/)
Postgraduate Research Student, Computer Science, University Of Exeter

More information about the Standards mailing list