[Standards-JIG] proto-JEP: Smart Presence Distribution

Tijl Houtbeckers thoutbeckers at splendo.com
Wed May 17 22:20:36 UTC 2006


On Thu, 18 May 2006 00:02:21 +0200, Pedro Melo <melo at co.sapo.pt> wrote:

>
> So basically the problem of keeping the rosters in sync is not a problem  
> with this proto-jep, but a problem that we already have today.

No. What your roster looks like is your own responsibility. If you want it  
to be out of sync or incorrect, fine. You want to write JEPs to decrease  
the chances of that happening, fine, go ahead. *That* is not related to  
what we're talking about here.

What your proposol does is allow people with an *incorrect* roster (one  
that suggest they have a presence subscription to me when they do not,  
when I never approced this or revoked this) to still receive my presence,  
without me knowing it or anyone being able to detect that (without knowing  
I don't want this). That is completly NOT an issue right now, and your  
proposal introduces this. Do you understand that or not?

> I think this proto-jep is something that would be negotiated between  
> servers. If both servers agree to use it, then you activate it. If you  
> don't want to use, don't advertise it.

Yes, if you want.. fine. Like I said, I won't use it. Nor would I  
recommend anyone else to use it. Nor would I ever endorse the idea that a  
server that ONLY support your way can still be called XMPP compliant. But  
if you want this, why not.. I could see it be useful when you don't care  
about presence leaking (eg. if you have one of those "presence thingies"  
on your blog anyway).

That doesn't change the fact that your JEP opens up a security hole and  
other problems, and the JEP should be honest about that. What do you think  
the "Security Considerations" section is for?

>>
>> Yeah, what's the difference? Hack a server, install a recompiled  
>> jabberd with spy mechanisms, and then make sure noone notices, or make  
>> 1 little undetectable change to the database?
>
> I'm sorry but both of these are very similar to me

To make such a statement, either you don't care much about security, or  
you don't know much or understand much about it.




More information about the Standards mailing list