[Standards] Addressing Security Concerns in XEP-0115 Entity Capabilities

Peter Saint-Andre stpeter at stpeter.im
Thu Sep 8 02:51:30 UTC 2011


On 9/7/11 2:33 PM, Joe Hildebrand wrote:
> On 9/5/11 6:39 AM, "Dave Cridland" <dave at cridland.net> wrote:
> 
>> Of course, it may be simplest just to bite the bullet and switch hash
>> algorithm - or even change the 'hash' attribute name - because then
>> it'll get treated as a pre-1.4 caps by the vast majority of entities
>> and everything will happen right (or at least, no worse than it often
>> does today anyway).
> 
> A bunch of our software already assumes that if you're doing old caps, you
> don't have any caps we care about.
> 
>> I'm gradually leaning toward this, because although it's *quite*
>> violent, the downside is not impossible.
>>
>> BTW, anyone any idea what happens if you include more than one <c/>
>> in a presence, in practical terms?
> 
> I imagine you'd break enough stuff that my vote would be to use a different
> namespace.  And then all of the people who complain to me about the *VAST*
> number of octets that caps takes will redouble their bitching and moaning.

That's one reason I'd prefer to patch up XEP-0115. Including both caps
and son-of-caps in presence broadcast strikes me as a bad idea.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/





More information about the Standards mailing list