[Standards] What is the size limit of node and item ids in XEP-0060: Publish-Subscribe?
stpeter at stpeter.im
Sun Mar 4 18:42:39 UTC 2018
On 3/4/18 10:54 AM, Jonas Wielicki wrote:
> On Sonntag, 4. März 2018 17:02:07 CET Peter Saint-Andre wrote:
>> If we want to specify this, I would recommend the UsernameCaseMapped
>> profile defined in RFC 8265.
>> However, there's a twist: if a node ID can be a full JID, then do we
>> want to apply the normal rules of RFC 7622 to all the JID parts, instead
>> of one uniform profile such as UsernameCaseMapped to the entire node ID?
>> For instance, the resourcepart of a JID is allowed to contain a much
>> wider range of Unicode characters than is allowed by the
>> UsernameCaseMapped profile of the PRECIS IdentifierClass (which we use
>> for the localpart).
>> Given that a node ID can be used for authorization decisions, I think
>> it's better to be conservative in what we accept (specifically, not
>> allow the wider range of characters in a resourcepart because
>> developers, and attackers, could get too "creative").
> I would argue that adding those restrictions / any kind of string prepping to
> XEP-0060 or XEP-0030 nodes is (a) too late and (b) ambiguous at least, as you
> mentioned (depending on the data).
I would argue that not specifying normalization rules is a security hole
(e.g., allowing an attacker to gain unauthorized access to a node). Just
because we should've done this years ago doesn't mean we can fix it now.
> I’d also argue that nodes aren’t shown or typed into a field by users
> normally, so I would not worry about that kind of normalization here.
So that only automated attackers can succeed? :-)
> If a specific XEP-0030/XEP-0060-based protocol needs more guarantees, I think
> those can be defined there.
No, this needs to be done at the lowest level we can manage. Pushing
this off to extensions just means we'll have inconsistent approaches.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 873 bytes
Desc: OpenPGP digital signature
More information about the Standards