[Standards-JIG] Inclusion of both, to and from attributes to the stream root element

Matthias Wimmer m at tthias.eu
Thu Sep 28 22:22:31 UTC 2006


Peter Saint-Andre schrieb:
> My only concern is that the 'from' address in the stream header is
> simply asserted, so I could be shown the wrong set of SASL mechanisms if
> I assert that I'm mawis at jabber.org instead of stpeter at jabber.org or
> whatever. However, if I try to auth using a mechanism that I'm not
> really allowed to use, I'll find out eventually anyway because the
> server will return an <invalid-mechanism/> error to me. So I don't think
> this opens any security holes.

Agreed.

I think the from, and to attributes should in any case not being more
than a hint to the endpoints of a connection. Real identity checking is
done by SASL or other strong ways to authenticate (TLS, IPsec, ...).


-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4263 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060929/058fd591/attachment.bin>


More information about the Standards mailing list