[Standards] Depreciating XEP-0146: Remote Controlling Clients

Daniel Gultsch daniel at gultsch.de
Mon May 29 14:49:18 UTC 2017


Obsolete even due to the security implications the Security
Considerations fail to mention.

I'll make sure we are going to vote on this in the next council session.

2016-08-27 14:27 GMT+02:00 Emmanuel Gil Peyrot <linkmauve at linkmauve.fr>:
> Hello,
>
> I’d like to propose deprecating XEP-0146, on the basis that some of its
> features are a security hazard, some overlap with better solutions
> available now, and some are just kind of useless.
>
> XEP-0146 defines five use-cases:
> 1. Change status
> 2. Forward unread messages residing at the remote client to the local
>    client
> 3. Change run-time options
> 4. Accept pending file transfer requests
> 5. Leave groupchats
>
> Of those, 2. is the biggest problem, at least some implementations will
> happily send a plain-text version of their logs to any other resource
> requesting it.  It is also a use-case solved in a much nicer way by
> XEP-0313.
>
> The main reason for 4., poor routing of iq-based file transfers, is
> already solved by XEP-0353 (alongside XEP-0280 in some situations).  It
> might make sense to keep this feature for other reasons, like if you
> are on a bandwidth-limited mobile network but want to accept a big file
> transfer on your home server so you can have the file once you come
> home, I don’t feel strongly about deprecating this part of XEP-0146.
>
> The rest of the use-cases can possibly be security issues as well
> (especially 3. depending on what gets exposed), but are mostly not
> really useful, especially with the direction XMPP is moving to (like
> MIX using PAM to handle groupchat join-ness, or multiple resources
> being more hidden in modern UIs).
>
> So I propose deprecating this XEP, or at least the bad parts of it, or
> at least improving the Security Considerations, let’s discuss!
>
> Thanks,
>
> --
> Emmanuel Gil Peyrot
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________


More information about the Standards mailing list