[Standards] Depreciating XEP-0146: Remote Controlling Clients
flo at geekplace.eu
Mon Aug 29 07:32:00 UTC 2016
On 27.08.2016 14:27, Emmanuel Gil Peyrot wrote:
> I’d like to propose deprecating XEP-0146, on the basis that some of its
> features are a security hazard, some overlap with better solutions
> available now, and some are just kind of useless.
> XEP-0146 defines five use-cases:
> 1. Change status
> 2. Forward unread messages residing at the remote client to the local
> 3. Change run-time options
> 4. Accept pending file transfer requests
> 5. Leave groupchats
> Of those, 2. is the biggest problem, at least some implementations will
> happily send a plain-text version of their logs to any other resource
> requesting it. It is also a use-case solved in a much nicer way by
> The main reason for 4., poor routing of iq-based file transfers, is
> already solved by XEP-0353 (alongside XEP-0280 in some situations). It
> might make sense to keep this feature for other reasons, like if you
> are on a bandwidth-limited mobile network but want to accept a big file
> transfer on your home server so you can have the file once you come
> home, I don’t feel strongly about deprecating this part of XEP-0146.
> The rest of the use-cases can possibly be security issues as well
> (especially 3. depending on what gets exposed), but are mostly not
> really useful, especially with the direction XMPP is moving to (like
> MIX using PAM to handle groupchat join-ness, or multiple resources
> being more hidden in modern UIs).
> So I propose deprecating this XEP, or at least the bad parts of it, or
> at least improving the Security Considerations, let’s discuss!
+1 for deprecating it. But let's not just put the status to 'deprecated'
but also let us add a short note about the intended alternatives in
order to provide guidance regarding the upgrade path.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 603 bytes
Desc: OpenPGP digital signature
More information about the Standards