[Standards] vcard-temp security considerations

Dave Cridland dave at cridland.net
Thu Aug 8 18:38:04 UTC 2013


On Thu, Aug 8, 2013 at 2:06 PM, Philipp Hancke <fippo at goodadvice.pages.de>wrote:

> The security considerations of 0054 currently say the vcard is public.
>
> I'd like to have additional text there along the lines of xep-0030 for a
> more restrictive server:
>   In response to a vcard-temp request, the server MUST return a
>   <service-unavailable/> error if one of the following is true:
>   1.  The target entity does not exist
>   2. The requesting entity is not authorized to receive presence from the
>      target entity (i.e., via a presence subscription of type "both" or
>      "from") or is not otherwise trusted (e.g., another server in a
>      trusted network).
>   3. The requesting entity and at least one of the users resources have
>     exchanged directed presence
>
> The last item is basically there not to break MUC. It might be good to add
> this to 0030, too. But I can be convinced that this is already covered by
> (2), even though not explicitly mentioned.
>
> Thoughts?
>

I think those are reasonable suggestions, but they're not a mandatory
requirement in my opinion.

I think we might offer it as a potential (and allowable) mitigation,
though, alongside providing different vCards to different requestors, and
so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20130808/38c47c26/attachment.html>


More information about the Standards mailing list