[Standards-JIG] UPDATED: JEP-0172 (User Nickname)
stpeter at jabber.org
Tue Mar 28 13:42:29 UTC 2006
Ian Paterson wrote:
> > There's a typo in Example 9. The attribute of the <invite/> element
> > should be 'from', not 'to'.
> > There are some Security Considerations with this protocol. There is a
> > real danger of identity spoofing (nickname not JID). Unless a user is
> > communicating exclusively within a trusted messaging community (e.g. via
> > an unfederated corporate IM server) then clients must be extremely
> > careful to ensure users are aware of that possibility.
A nickname is a memorable, friendly, but not unique name that I assert
about myself. No XMPP server can validate nicknames in the way XMPP
servers validate JIDs, since there's nothing to validate. Is my asserted
nickname part of my identity? In a way, yes. But it's "soft" identity.
Even in a "trusted" messaging community there is no guarantee that a
nickname will be unique (consider a big company like IBM, with 100k+
employees; nickname collisions are a near-certainty in a community that
big). So I am not quite convinced that there are serious security
concerns with a protocol that enables end users to advertise nicknames.
However, I do agree that clients need to appropriately inform end users
that nicknames are merely asserted friendly names and that they are not
validated in any way, may not be unique, etc.
> > It is already possible to spoof the names found in vCards (or PEP
> > profiles).
Yes, this applies to all existing formats with which JEP-0172 nicknames
are semenatically equivalent (vCard NICKNAME from JEP-0054, nickname in
user profiles from JEP-0154 and in in-band registration from JEP-0077,
nick in FOAF, and Alias in xNAL). It also applies, as you say, to names.
It's not even necessary to spoof (e.g., certain formats don't like my
legal name, which is "J. Peter Saint-Andre", since they require a first
name and middle initial rather than first initial and middle name; does
a format in which my name comes out as "J P Saint-Andre" force me to
spoof my name?). So you can't really trust any name except as provided
in an appropriate X.509 certificate (even names in OpenPGP keys are
merely asserted); and even in X.509 errors can occur (see above on name
formats etc.). And so forth. There are no guarantees here, so I suggest
we chill out (especially regarding nicknames, which are supposed to be
fun and memorable, not secure or unique identifiers in any way
whatsoever). That said, I'll make a note about it in JEP-0172 to satisfy
the paranoid. :-)
> > However that danger is eliminated for communications *within*
> > organizations whose servers prevent users editing their own vCards (or
> > PEP profiles). JEP-0172 does not allow the same security since it is
> > impractical for organizations to control (the names sent by) all
> > clients.
Well, an organization could enforce nicknames and guarantee that they
will not collide. I doubt most would, but they could if they cared enough.
> > Identity spoofing between people who have no existing relationship is a
> > very difficult problem, one that is much broader than the scope of this
> > thread.
See above. Even real-world identity is not an easy problem, and it
contains many social aspects. Digital identity is even messier. In large
measure discussions of digital identity are trying to abstract from or
extent social and cultural norms that have been built up over thousands
of years. And that's not easy.
> > FYI, I've implemented this protocol. It makes providing nickname
> > functionality much easier for client developers. It also allows
> > developers to avoid the asynchronus coding that is necessary when vCards
> > (or PEP profiles) are used to implement similar functionality (except
> > when adding a new contact or initiating a new chat).
Cool, feedback is always welcome. :-)
Jabber Software Foundation
More information about the Standards