[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]

Ian Paterson ian.paterson at clientside.co.uk
Fri May 18 20:51:50 UTC 2007

Peter Saint-Andre wrote:
> How is this for text in the Security Considerations?
> ******
> If a server receives a ping request directed to a full JID 
> (<node at domain.tld/resource>) associated with a registered account but 
> there is no connected resource matching the 'to' address, it MUST 
> reply with a <service-unavailable/> error and set the 'from' address 
> of the IQ-error to the full JID provided in the 'to' address of the 
> ping request. If a connected resource receives a ping request but it 
> does not want to reveal its network availability to the sender for any 
> reason (e.g., because the sender is not authorized to know the 
> connected resource's availability), then it too MUST reply with a 
> <service-unavailable/> error. This consistency between the server 
> response and the client response helps to prevent presence leaks.
> ******

What about white space character data between XML tags etc? To prevent a 
presence leak the client MUST be able to predict every single byte of 
its server's normal response. I think you should go so far as including 
an example of the exact character string that a server MUST send.

- Ian

More information about the Standards mailing list