[Standards-JIG] proto-JEP: Smart Presence Distribution

Matthias Wimmer m at tthias.eu
Thu May 18 10:17:33 UTC 2006


Hi Carlo!

Carlo v. Loesch wrote:
> | Mattias brought up an intresting point here. I tried it on an ejabberd
> | server and indeed I could set a roster item with subscription "both" (and  
> | get back a result with "both"), this was gone when I re-requested the
> | roster though (back to "none"). I wonder what other servers would do... it
> | is however not the main point.
>
> We have updated the JEP to make it clear that it MUST be ensured, that
> the subscription state has not been 'faked'. I was not aware of such
> security problems in servers, but I presume a server developer willing to
> implement this JEP would first ensure the roster data he is working with
> is safe and reliable.
>   
This is not a bug, it's a feature. - And all servers I ever tried are 
willing to update your roster to anything you want.
In Gabber this has been used to be able to backup and restore your 
roster. With JRU this is used to manage your roster if you move servers, 
or you change transports.
This is not a security problem, as all you can do is to damage your own 
roster - as long as it is the responsibility of the sending side who 
gets a presence.


Matthias



More information about the Standards mailing list