[Standards-JIG] Inclusion of both, to and from attributes to the stream root element
m at tthias.eu
Thu Sep 28 22:22:31 UTC 2006
Peter Saint-Andre schrieb:
> My only concern is that the 'from' address in the stream header is
> simply asserted, so I could be shown the wrong set of SASL mechanisms if
> I assert that I'm mawis at jabber.org instead of stpeter at jabber.org or
> whatever. However, if I try to auth using a mechanism that I'm not
> really allowed to use, I'll find out eventually anyway because the
> server will return an <invalid-mechanism/> error to me. So I don't think
> this opens any security holes.
I think the from, and to attributes should in any case not being more
than a hint to the endpoints of a connection. Real identity checking is
done by SASL or other strong ways to authenticate (TLS, IPsec, ...).
Matthias Wimmer Fon +49-700 77 00 77 70
Züricher Str. 243 Fax +49-89 95 89 91 56
81476 München http://ma.tthias.eu/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4263 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards