[Standards] UPDATED: XEP-0276 (Presence Decloaking)
stpeter at stpeter.im
Wed Jul 11 18:01:32 UTC 2012
On 7/11/12 10:39 AM, Kurt Zeilenga wrote:
> A quick comment:
> Security Considerations say "Because decloaking is a presence leak (albeit intentional), an XMPP client that implements the receiving side of this specification MUST disable sharing of session presence by default and MUST enable the feature only as a result of explicit user configuration."
> I suggest changing "explicit user configuration" with "explicit user confirmation" and then adding another sentence that the user confirmation can be per request, per first request per requestor, or by setting some "always decloak" configuration option, or other suitable means so long as decloaking doesn't occur by default. That is, the first MUST is the key security requirement, how to override the default is necessary detail for implementors to address how they see fit.
Good point, and consistent with what we've said in other specs IIRC.
Will fix in the next version.
More information about the Standards