[Standards] NEW: XEP-0359 (Unique and Stable Stanza IDs)

Dave Cridland dave at cridland.net
Wed Jul 15 19:57:16 UTC 2015


On 15 July 2015 at 16:12, Florian Schmaus <flo at geekplace.eu> wrote:

> On 15.07.2015 10:12, Dave Cridland wrote:
> > Can we add something into the security considerations for this document
> > which discusses the exposure of the jid in "by", please?
>
> I had the same though, but then discarded adding such a consideration
> because the only JIDs worth protecting are the ones of clients. And
> those don't have a need to set the 'by' value.
>
>
If you considered it, then it's a security consideration. ;-)

More seriously, it exposes non-terminal jids in a manner that may or may
not leak something to an attacker - it may not ever leak anything useful in
the ways you've considered using it, but a protocol requiring id stamping
of some intermediary that's otherwise not exposed could be problematic.


> But, adding an explicit statement about (client) JID leaks can't hurt.
> Noted for the next version bump of XEP-SID.
>
> - Florian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20150715/bc7107b7/attachment.html>


More information about the Standards mailing list