[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]

Ian Paterson ian.paterson at clientside.co.uk
Wed May 30 02:06:06 UTC 2007


Rachel Blackman wrote:
> I don't know that I agree that this is a significant security issue, 
> but I /do/ agree that if you accept the premise that it /is/, the 
> human-readable and meaningful resources are a liability.

If we leave this hole then at some stage someone will create a patch to 
add the feature to a popular client. And people will use it. I will - if 
only to know when St Peter is using his stealth account. ;-)

So I guess whether you think this is a security (privacy) issue or not 
is very similar to asking: "Is it really necessary for servers to allow 
users to prevent subscriptions to their presence."

To answer that, would you choose to use a server that didn't allow you 
to prevent *anyone* subscribing to your presence?

Most people wouldn't. So IMHO it is our responsability to protect Aunt 
Tillie's privacy *out-of-the-box* (like Google does). She shouldn't have 
to tick the client option "(Ask my server to) generate a random resource 
for me" - or even to uncheck the box "Allow anyone to know my presence".

If MSN, Yahoo or AIM had this presence leak then there would have been 
some noise and ridicule. I am honestly surprised that part of our 
community doesn't seem to be taking our responsability for Aunt Tillie's 
privacy seriously. So perhaps I'm missing something?

> If you agree it's a problem and have an alternate solution, that's 
> great too!

Yes.

> But this conversation as a whole is sort of reaching a point where 
> we're trying to build up or discredit the argument by tangential (and 
> occasionally wildly stretching) analogies, rather than actually 
> addressing what the original concern was. :)

Yes.

- Ian




More information about the Standards mailing list