[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]
daniel at noll.id.au
Sat May 19 10:17:40 UTC 2007
On Saturday 19 May 2007 19:51, Ian Paterson wrote:
> Kevin Smith wrote:
> > I think the other option (pick a resource pseudo-randomly so the other
> > contact won't be able to guess it) sounds quite a lot like security
> > through obscurity.
> AFAICT, as long as the resource ID is random and long enough (e.g. 128
> bits of entropy), then it is exceptionally secure.
> In fact it is far more secure than, for example, the user's password...
> because it is random and long, because it changes with every session,
> and because the only way to discover it would be to sniff the user's
> session (in which case you know the user is online anyway).
The person who is trying to find you might just decide to ask one of the
contacts who does have a subscription to your presence.
They can't quite do this with the user's password.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Standards