[Standards] NEW: XEP-0359 (Unique and Stable Stanza IDs)
dave at cridland.net
Wed Jul 15 19:57:16 UTC 2015
On 15 July 2015 at 16:12, Florian Schmaus <flo at geekplace.eu> wrote:
> On 15.07.2015 10:12, Dave Cridland wrote:
> > Can we add something into the security considerations for this document
> > which discusses the exposure of the jid in "by", please?
> I had the same though, but then discarded adding such a consideration
> because the only JIDs worth protecting are the ones of clients. And
> those don't have a need to set the 'by' value.
If you considered it, then it's a security consideration. ;-)
More seriously, it exposes non-terminal jids in a manner that may or may
not leak something to an attacker - it may not ever leak anything useful in
the ways you've considered using it, but a protocol requiring id stamping
of some intermediary that's otherwise not exposed could be problematic.
> But, adding an explicit statement about (client) JID leaks can't hurt.
> Noted for the next version bump of XEP-SID.
> - Florian
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Standards