[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]

Mridul Muralidharan mridul at sun.com
Sat May 19 13:47:05 UTC 2007


Ian Paterson wrote:
> Daniel Noll wrote:
>> On Saturday 19 May 2007 19:51, Ian Paterson wrote:
>>  
>>> AFAICT, as long as the resource ID is random and long enough (e.g. 128
>>> bits of entropy), then it is exceptionally secure.
>>>
>>> In fact it is far more secure than, for example, the user's password...
>>> because it is random and long, because it changes with every session,
>>> and because the only way to discover it would be to sniff the user's
>>> session (in which case you know the user is online anyway).
>>>     
>>
>> The person who is trying to find you might just decide to ask one of 
>> the contacts who does have a subscription to your presence.
>>
>> They can't quite do this with the user's password.
>>   
> 
> Well, that doesn't matter in this case. Expanding my last sentence above:
> 
> "the only way to discover it would be to sniff the user's session *or 
> ask the user or one of her contacts who does have a subscription* (if 
> you can do any of those things then you know the user is online, so 
> there is no need to discover the resource ID)."
> 
> - Ian
> 
> 

Yes, you must not worry about out of band means of querying for presence :)

Mridul



More information about the Standards mailing list