[Standards] LAST CALL: XEP-0313 (Message Archive Management)
holger at zedat.fu-berlin.de
Wed Nov 15 16:59:25 UTC 2017
* Jonas Wielicki <jonas at wielicki.name> [2017-10-16 18:38]:
> 4. Do you have any security concerns related to this specification?
As I understood it, the reasoning for the last namespace bump to mam:2
was to offer the guarantee that stanza IDs are added to live messages as
per XEP-0359. So if the client encounters a <stanza-id/> tag (with the
expected attributes), it can be *sure* this wasn't added by an entity
other than the one controlling the MAM archive.
However, for carbon-copied messages, this is only a SHOULD clause, not a
MUST: "servers SHOULD include the element as a child of the forwarded
message when using Message Carbons (XEP-0280)". Doesn't this render the
guarantee useless, as clients can *not* rely on stanza IDs encountered
within carbon-copied messages?
More information about the Standards