[Standards] LAST CALL: XEP-0186 (Invisible Command)

Tomasz Sterna tomek at xiaoka.com
Thu Jul 17 11:10:44 UTC 2014


Dnia 2014-06-20, pią o godzinie 02:59 +0000, XMPP Extensions Editor
pisze:
> 1. Is this specification needed to fill gaps in the XMPP protocol stack or to clarify an existing protocol?

No.


> 2. Does the specification solve the problem stated in the introduction and requirements?

It appears so, but has numerous issues.


> 3. Do you plan to implement this specification in your code? If not, why not?

No. I feel uncomfortable providing my users with something that only
appears to work, but is known to fail and be exploitable.
My opinion is that it's better to have none sense of security, than
having a false one.

I already implemented XEP-0191 in jabberd2, which I see as far better
solution to providing this feature.


> 4. Do you have any security concerns related to this specification?

Yes.
It has been demonstrated over time, that there are numerous way of
probing real user presence. Also the specification has issues already
mentioned in this thread.


> 5. Is the specification accurate and clearly written?

Yes.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://xiaoka.com/




More information about the Standards mailing list