[Standards] vcard-temp security considerations

Philipp Hancke fippo at goodadvice.pages.de
Thu Aug 8 13:06:38 UTC 2013


The security considerations of 0054 currently say the vcard is public.

I'd like to have additional text there along the lines of xep-0030 for a 
more restrictive server:
   In response to a vcard-temp request, the server MUST return a
   <service-unavailable/> error if one of the following is true:
   1.  The target entity does not exist
   2. The requesting entity is not authorized to receive presence from the
      target entity (i.e., via a presence subscription of type "both" or
      "from") or is not otherwise trusted (e.g., another server in a
      trusted network).
   3. The requesting entity and at least one of the users resources have
     exchanged directed presence

The last item is basically there not to break MUC. It might be good to add 
this to 0030, too. But I can be convinced that this is already covered by 
(2), even though not explicitly mentioned.

Thoughts?



More information about the Standards mailing list