[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]

Ian Paterson ian.paterson at clientside.co.uk
Sat May 19 12:01:27 UTC 2007


Daniel Noll wrote:
> On Saturday 19 May 2007 19:51, Ian Paterson wrote:
>   
>> AFAICT, as long as the resource ID is random and long enough (e.g. 128
>> bits of entropy), then it is exceptionally secure.
>>
>> In fact it is far more secure than, for example, the user's password...
>> because it is random and long, because it changes with every session,
>> and because the only way to discover it would be to sniff the user's
>> session (in which case you know the user is online anyway).
>>     
>
> The person who is trying to find you might just decide to ask one of the 
> contacts who does have a subscription to your presence.
>
> They can't quite do this with the user's password.
>   

Well, that doesn't matter in this case. Expanding my last sentence above:

"the only way to discover it would be to sniff the user's session *or ask the user or one of her contacts who does have a subscription* (if you can do any of those things then you know the user is online, so there is no need to discover the resource ID)."

- Ian





More information about the Standards mailing list