[Standards] pubsub whitelists

Peter Saint-Andre stpeter at stpeter.im
Fri Aug 24 21:50:54 UTC 2007

Peter Saint-Andre wrote:
> Peter Saint-Andre wrote:
>> Peter Millard originally thought of a pubsub whitelist as the list of
>> entities that are subscribed to a node. However, as Joe Hildebrand and
>> Matt Yacobucci just pointed out to me, that introduces a security hole
>> quite similar to <presence type='subscribed'/> -- that is, the node
>> owner can now add you to the subscriber list without your permission
>> (introducing all sorts of wonderful spam possibilities). Joe and Matt
>> pointed out that the whitelist is more properly a list of entities that
>> are allowed to subscribe (or retrieve items) if they want to, not as the
>> list of subscribers. This could be managed via node configuration (e.g.,
>> a "pubsub#whitelist" node configuration option of type jid-multi). It
>> seems important to fix this before we publish version 1.10 of XEP-0060
>> so I will work on that here soon.
> Looking at this further, I conclude that we need a new affiliation to
> handle this properly. I mean, we could do this via node configuration,
> but that is functionally equivalent to an affiliation. It is similar to
> the "member" affiliation in MUC, in that the JID is a "member of the
> club" of entities that can subscribe (like joining a room) or retrieve
> items (like getting room history). So I think we can call the pubsub
> affiliation "member" too.
> It's not clear to me how existing pubsub implementations can be handling
> the whitelist access model, since it is so underspecified in the spec
> right now. But I will work to clean this up in the next few days.

Here is a first pass:



Alternate URLs if you still can't resolve xmpp.org:




Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070824/79da3d74/attachment.bin>

More information about the Standards mailing list