[Standards] Addressing Security Concerns in XEP-0115 Entity Capabilities

Joe Hildebrand joe.hildebrand at webex.com
Wed Sep 7 20:33:42 UTC 2011

On 9/5/11 6:39 AM, "Dave Cridland" <dave at cridland.net> wrote:

> Of course, it may be simplest just to bite the bullet and switch hash
> algorithm - or even change the 'hash' attribute name - because then
> it'll get treated as a pre-1.4 caps by the vast majority of entities
> and everything will happen right (or at least, no worse than it often
> does today anyway).

A bunch of our software already assumes that if you're doing old caps, you
don't have any caps we care about.

> I'm gradually leaning toward this, because although it's *quite*
> violent, the downside is not impossible.
> BTW, anyone any idea what happens if you include more than one <c/>
> in a presence, in practical terms?

I imagine you'd break enough stuff that my vote would be to use a different
namespace.  And then all of the people who complain to me about the *VAST*
number of octets that caps takes will redouble their bitching and moaning.

Joe Hildebrand

More information about the Standards mailing list