[Standards] Meta-Contacts: implementation notes

Pedro Melo melo at simplicidade.org
Thu Apr 3 12:06:26 UTC 2008


Hi,

On Apr 3, 2008, at 12:32 PM, Remko Tronçon wrote:
>>  If I give too much relevance to the user nickname or other  
>> information in
>> control of the contact, then I think we are opening up a lot of  
>> avenues of
>> attack. Just showing the avatar is problem enough.
>
> I agree, automatic naming of contacts is quite dangerous. Still, users
> ask us for that feature quite regularly. I wonder what we could do for
> them. Maybe some semi-automatic way of updating the nickname where the
> user has to explicitly request a nickname update could work, although
> I'm not sure if it's worth the extra menu item (if you can see the
> nickname in 'more info', you could ).

What about a "suggested" name feature?

I'm not against the idea of suggesting a name for a new contact,  
based on contact information (like nickname, vcard, or user-profile).  
I'm just saying that we should at least mention to client developers  
the risk of too much trust on remote information, regarding spoofing  
attacks.


> But anyway, that's a separate issue. If we agree that it's bad
> practice to hide the real roster name from the user, I guess
> meta-contacts based on roster name is an easy enough solution.

Whatever the users chooses to the name of the roster item, be it  
something that he typed himself, or something suggested based on the  
contact information, I think the meta-contact xep should use the  
local roster item name attribute.


One further point about the current meta-contacts XEP: the amount of  
data flowing back and forth when we change a meta-contact becomes  
very large fast. If we keep on this route, and with PEP, it might be  
worth to have a different node per meta-contact.

Best regards,
-- 
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org
Use XMPP!





More information about the Standards mailing list