[Standards-JIG] [Fwd: I-D ACTION:draft-saintandre-jabberid-01.txt]

Dave Cridland dave at cridland.net
Thu Jul 20 13:55:13 UTC 2006


On Thu Jul 20 14:43:35 2006, Joe Hildebrand wrote:
> 
> On Jul 20, 2006, at 7:07 AM, Dave Cridland wrote:
> 
>> On Thu Jul 20 13:42:29 2006, Hal Rottenberg wrote:
>>> 5.  Security Considerations
>>>  "A forged Jabber-ID
>>>   header may break automated processing; therefore the Jabber-ID  
>>> header
>>>   SHOULD NOT be depended upon to indicate the authenticity of the
>>>   message or the identity of the sender."
>>> Should you mention here that the JID could be validated out-of- 
>>> band using xmpp?
>> Probably not - you can validate that the JID's domain exists, but  
>> I'm not sure you can do much more automatically anyway, can you?  
>> Even if you could validate that the user exists, I'm not convinced 
>>  this gains you much.
> 
> We could specify an IQ to validate that a given message-ID comes 
> from  a given user.

... in another specification.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list