[Standards] UPDATED: XEP-0276 (Presence Decloaking)

Kurt Zeilenga Kurt.Zeilenga at Isode.COM
Wed Jul 11 16:39:38 UTC 2012


A quick comment:

Security Considerations say "Because decloaking is a presence leak (albeit intentional), an XMPP client that implements the receiving side of this specification MUST disable sharing of session presence by default and MUST enable the feature only as a result of explicit user configuration."

I suggest changing "explicit user configuration" with "explicit user confirmation" and then adding another sentence that the user confirmation can be per request, per first request per requestor, or by setting some "always decloak" configuration option, or other suitable means so long as decloaking doesn't occur by default.  That is, the first MUST is the key security requirement, how to override the default is necessary detail for implementors to address how they see fit.

-- Kurt


More information about the Standards mailing list