[Standards-JIG] proto-JEP: Smart Presence Distribution
thoutbeckers at splendo.com
Wed May 17 23:41:48 UTC 2006
On Thu, 18 May 2006 01:06:50 +0200, Pedro Melo <melo at co.sapo.pt> wrote:
> This discussion will now move to the how did the roster got "incorrect".
No it won't. Because that doesn't matter.
I'll explain it one last time before putting this issue to rest. What the
proposal does, is shift who is responsible and in control for handing out
presence information to specific users, from me and my server, to someone
else and their server. It is not the responsibility of that other server
-or even if you think it is, it's still impossible for it!- to verivy or
check the integrity of that information.
In the current situation, if you have two servers who adhere to protocol,
it's always me who decides who sees my presence. Purely by the addition of
what's suggested in this JEP that is simply no longer the case. Even if
all servers involved correctly follow protocol, there is absolutly NO
garantuee that someone I do not want to send my presence to will not end
up receiving it. Further more there is no way for me or anyone else to
detect this. Twist and turn all you want, this is (amongst other things) a
security issue introduced by this proposal. Thus it should be mentioned in
For that matter, I don't care if you or your employer thinks it's ok to
have an extremly hard to solve (and as you seem to push for, undocumented)
security problem, just because you'd have some other (potentially much
easier to solve) security problem leading up to it, it doesn't change a
single thing as to what I've been saying here.
For your 400k users however (and the people who'd presence they subsribe
to, for that matter), I hope that's not how your company thinks about
security. Thankfully, that's not Sapo's reputation at the moment.
More information about the Standards