[Standards-JIG] Inclusion of both, to and from attributes to the stream root element

Peter Saint-Andre stpeter at jabber.org
Thu Sep 28 22:25:23 UTC 2006


Matthias Wimmer wrote:
> Peter Saint-Andre schrieb:
>> My only concern is that the 'from' address in the stream header is
>> simply asserted, so I could be shown the wrong set of SASL mechanisms if
>> I assert that I'm mawis at jabber.org instead of stpeter at jabber.org or
>> whatever. However, if I try to auth using a mechanism that I'm not
>> really allowed to use, I'll find out eventually anyway because the
>> server will return an <invalid-mechanism/> error to me. So I don't think
>> this opens any security holes.
> 
> Agreed.
> 
> I think the from, and to attributes should in any case not being more
> than a hint to the endpoints of a connection. Real identity checking is
> done by SASL or other strong ways to authenticate (TLS, IPsec, ...).

Yes, and the spec says that (even in RFC 3920), so I think we're fine.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060928/5800537b/attachment.bin>


More information about the Standards mailing list