[Standards] pubsub whitelists

Peter Saint-Andre stpeter at stpeter.im
Fri Aug 24 21:50:54 UTC 2007


Peter Saint-Andre wrote:
> Peter Saint-Andre wrote:
>> Peter Millard originally thought of a pubsub whitelist as the list of
>> entities that are subscribed to a node. However, as Joe Hildebrand and
>> Matt Yacobucci just pointed out to me, that introduces a security hole
>> quite similar to <presence type='subscribed'/> -- that is, the node
>> owner can now add you to the subscriber list without your permission
>> (introducing all sorts of wonderful spam possibilities). Joe and Matt
>> pointed out that the whitelist is more properly a list of entities that
>> are allowed to subscribe (or retrieve items) if they want to, not as the
>> list of subscribers. This could be managed via node configuration (e.g.,
>> a "pubsub#whitelist" node configuration option of type jid-multi). It
>> seems important to fix this before we publish version 1.10 of XEP-0060
>> so I will work on that here soon.
> 
> Looking at this further, I conclude that we need a new affiliation to
> handle this properly. I mean, we could do this via node configuration,
> but that is functionally equivalent to an affiliation. It is similar to
> the "member" affiliation in MUC, in that the JID is a "member of the
> club" of entities that can subscribe (like joining a room) or retrieve
> items (like getting room history). So I think we can call the pubsub
> affiliation "member" too.
> 
> It's not clear to me how existing pubsub implementations can be handling
> the whitelist access model, since it is so underspecified in the spec
> right now. But I will work to clean this up in the next few days.

Here is a first pass:

http://svn.xmpp.org:18080/browse/XMPP/trunk/extensions/xep-0060.xml?r1=1165&r2=1185

http://www.xmpp.org/extensions/tmp/xep-0060-1.10.html

Alternate URLs if you still can't resolve xmpp.org:

http://zeus.jabber.org:18080/browse/XMPP/trunk/extensions/xep-0060.xml?r1=1165&r2=1185

http://www.jabber.org/temp/xep-0060-1.10.html

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070824/79da3d74/attachment.bin>


More information about the Standards mailing list