[Standards] Fwd: Meeting minutes 2010-02-15

Carlo v. Loesch CvL at mail.symlynX.com
Wed Feb 24 21:33:33 UTC 2010


Dave Cridland typeth:
| Let me also clarify - if we could send IM presence once over a link  
| and have fan-out controlled by a foreign domain, I'd be happy with  
| it. But I don't think that's a practical option, given that it  
| requires greater trust between domains, and prevents various other  
| forms of control. FWIW, the same applies to PEP versus general  
| PubSub, I think, and these are the same protoclo, but with different  
| controls.

It's trivial to modify a server in such a way that it will report
all presence of all peers of its users to an administrator or to modify
a server in such a way that it reports probes from wannabe-invisible users.
So you already *are* trusting other servers. Having the recipient server
manage subscriptions instead of you "remote controlling" them is no
new security issue.

The security issue is elsewhere. In order to deliver presence to
the right people the server must additionally store subscription
acknowledgments from the peers (presence type=subscribed) and not let
the local user or client infiltrate other people's presence slaves
(in a multicast master/slave architecture) by fiddling with subscription
state=to. 

Any server implementor who adds multicast to her server must also
provide for this subscription safety mechanism, including silently
removing a recipient, if this is what the peer expects.
'stanza repeaters' seems to be the right kind of approach here
with all the special requirements XMPP presence has.


­- 
   _//	Carlo v. Loesch
  _//	http://symlynX.com/



More information about the Standards mailing list