[Standards] XEP-0138: security considerations

Kevin Smith kevin at kismith.co.uk
Thu Apr 24 16:47:03 UTC 2014


On Mon, Apr 14, 2014 at 3:53 PM, Peter Saint-Andre <stpeter at stpeter.im> wrote:
> On 4/14/14, 8:33 AM, Philipp Hancke wrote:
>>
>> [...]
>>>
>>>    1. A server implementation MUST NOT turn on compression by default;
>>> instead, it MUST enable a server administrator to turn on compression if
>>> desired.
>>
>>
>> Any particular reason to use RFC 2119 language here (and in 2+3).
>> Otherwise this LGTM.
>>
>> [...]
>>>
>>>    3. A server implementation MUST enable a server administrator to
>>> limit the amount of bandwidth it will allow a connected client or peer
>>> server to use in a given time period.
>>
>>
>> We have that already in
>> http://xmpp.org/extensions/xep-0205.html#rec-bandwidth so if this
>> repeated here (which seems like a good idea) there should be a reference.
>
>
> In fact, some of this text is in RFC 6120:
>
> http://tools.ietf.org/html/rfc6120#section-13.12
>
> Mostly we're strengthening that here, and if 6120bis is ever published we'll
> strengthen the text in the core spec.

I hope we wouldn't tighten it - it's already too strong with SHOULDs
on stuff that's entirely implementation detail.

/K



More information about the Standards mailing list