[Standards] Confusion in XEP-0334

Kurt Zeilenga kurt.zeilenga at isode.com
Mon Dec 22 13:14:35 UTC 2014


I think it odd that this spec says
    This specification introduces no known security considerations.

When it’s providing hints, at least in certain use cases, to an attacker as to what the sender considers to be more sensitive.   That is, it seems to be a “look at this stanza” flag to attackers.

Also, 334 says the requirements include "allow a sender to hint to the recipient” but it seems to be asking entities providing archive services stanza (or copying) to act on the hint.

I also note that when MAM is implemented on top of an auditing-style database, one meeting the requirement to record all traffic, then the <no-store/> & <no-permenant-store/> hints, to the implementor, should be regarded as hints as to what stanzas to return to the entity making the MAM request.

— Kurt

> On Dec 22, 2014, at 1:35 AM, Adrien <souliane at mailoo.org> wrote:
> 
> Hi,
> 
> similar to my previous message about XEP-0313. I noticed some confusion in XEP-0334 [1]:
> 
> In section 3, the hint is <no-store/> but section 4 says <no-storage/> and <no-permanent-storage/>.
> 
> If the MAM implementation in Prosody is right, <no-storage/> and <no-permanent-storage/> are the good ones [2].
> 
> Regards,
> Adrien
> 
> [1] http://xmpp.org/extensions/xep-0334.html
> [2] https://code.google.com/p/prosody-modules/source/browse/mod_mam/mod_mam.lua lines 208 and 209

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20141222/fb36ca3d/attachment.html>


More information about the Standards mailing list