[Standards] [Fwd: [Council] meeting minutes, 2007-05-16]
ian.paterson at clientside.co.uk
Wed May 30 02:06:06 UTC 2007
Rachel Blackman wrote:
> I don't know that I agree that this is a significant security issue,
> but I /do/ agree that if you accept the premise that it /is/, the
> human-readable and meaningful resources are a liability.
If we leave this hole then at some stage someone will create a patch to
add the feature to a popular client. And people will use it. I will - if
only to know when St Peter is using his stealth account. ;-)
So I guess whether you think this is a security (privacy) issue or not
is very similar to asking: "Is it really necessary for servers to allow
users to prevent subscriptions to their presence."
To answer that, would you choose to use a server that didn't allow you
to prevent *anyone* subscribing to your presence?
Most people wouldn't. So IMHO it is our responsability to protect Aunt
Tillie's privacy *out-of-the-box* (like Google does). She shouldn't have
to tick the client option "(Ask my server to) generate a random resource
for me" - or even to uncheck the box "Allow anyone to know my presence".
If MSN, Yahoo or AIM had this presence leak then there would have been
some noise and ridicule. I am honestly surprised that part of our
community doesn't seem to be taking our responsability for Aunt Tillie's
privacy seriously. So perhaps I'm missing something?
> If you agree it's a problem and have an alternate solution, that's
> great too!
> But this conversation as a whole is sort of reaching a point where
> we're trying to build up or discredit the argument by tangential (and
> occasionally wildly stretching) analogies, rather than actually
> addressing what the original concern was. :)
More information about the Standards