[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]
mridul at sun.com
Sat May 19 13:47:05 UTC 2007
Ian Paterson wrote:
> Daniel Noll wrote:
>> On Saturday 19 May 2007 19:51, Ian Paterson wrote:
>>> AFAICT, as long as the resource ID is random and long enough (e.g. 128
>>> bits of entropy), then it is exceptionally secure.
>>> In fact it is far more secure than, for example, the user's password...
>>> because it is random and long, because it changes with every session,
>>> and because the only way to discover it would be to sniff the user's
>>> session (in which case you know the user is online anyway).
>> The person who is trying to find you might just decide to ask one of
>> the contacts who does have a subscription to your presence.
>> They can't quite do this with the user's password.
> Well, that doesn't matter in this case. Expanding my last sentence above:
> "the only way to discover it would be to sniff the user's session *or
> ask the user or one of her contacts who does have a subscription* (if
> you can do any of those things then you know the user is online, so
> there is no need to discover the resource ID)."
> - Ian
Yes, you must not worry about out of band means of querying for presence :)
More information about the Standards