[Standards] pubsub whitelists

Ralph Meijer jabber.org at ralphm.ik.nu
Wed Aug 22 16:43:53 UTC 2007


On Wed, 2007-08-22 at 10:30 -0600, Peter Saint-Andre wrote:
> Peter Millard originally thought of a pubsub whitelist as the list of
> entities that are subscribed to a node. However, as Joe Hildebrand and
> Matt Yacobucci just pointed out to me, that introduces a security hole
> quite similar to <presence type='subscribed'/> -- that is, the node
> owner can now add you to the subscriber list without your permission
> (introducing all sorts of wonderful spam possibilities). Joe and Matt
> pointed out that the whitelist is more properly a list of entities that
> are allowed to subscribe (or retrieve items) if they want to, not as the
> list of subscribers. This could be managed via node configuration (e.g.,
> a "pubsub#whitelist" node configuration option of type jid-multi). It
> seems important to fix this before we publish version 1.10 of XEP-0060
> so I will work on that here soon.

Oh, I assumed white lists would indeed be that. Your suggestion seems
perfect. +1

-- 
Groetjes,

ralphm




More information about the Standards mailing list