[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]

Daniel Noll daniel at noll.id.au
Sat May 19 10:17:40 UTC 2007

On Saturday 19 May 2007 19:51, Ian Paterson wrote:
> Kevin Smith wrote:
> > I think the other option (pick a resource pseudo-randomly so the other
> > contact won't be able to guess it) sounds quite a lot like security
> > through obscurity.
> AFAICT, as long as the resource ID is random and long enough (e.g. 128
> bits of entropy), then it is exceptionally secure.
> In fact it is far more secure than, for example, the user's password...
> because it is random and long, because it changes with every session,
> and because the only way to discover it would be to sniff the user's
> session (in which case you know the user is online anyway).

The person who is trying to find you might just decide to ask one of the 
contacts who does have a subscription to your presence.

They can't quite do this with the user's password.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070519/158a9e19/attachment.sig>

More information about the Standards mailing list