[Standards] What is the size limit of node and item ids in XEP-0060: Publish-Subscribe?
jonas at wielicki.name
Mon Mar 5 07:17:30 UTC 2018
On Sonntag, 4. März 2018 19:42:39 CET Peter Saint-Andre wrote:
> On 3/4/18 10:54 AM, Jonas Wielicki wrote:
> > On Sonntag, 4. März 2018 17:02:07 CET Peter Saint-Andre wrote:
> >> If we want to specify this, I would recommend the UsernameCaseMapped
> >> profile defined in RFC 8265.
> >> However, there's a twist: if a node ID can be a full JID, then do we
> >> want to apply the normal rules of RFC 7622 to all the JID parts, instead
> >> of one uniform profile such as UsernameCaseMapped to the entire node ID?
> >> For instance, the resourcepart of a JID is allowed to contain a much
> >> wider range of Unicode characters than is allowed by the
> >> UsernameCaseMapped profile of the PRECIS IdentifierClass (which we use
> >> for the localpart).
> >> Given that a node ID can be used for authorization decisions, I think
> >> it's better to be conservative in what we accept (specifically, not
> >> allow the wider range of characters in a resourcepart because
> >> developers, and attackers, could get too "creative").
> > I would argue that adding those restrictions / any kind of string prepping
> > to XEP-0060 or XEP-0030 nodes is (a) too late and (b) ambiguous at least,
> > as you mentioned (depending on the data).
> I would argue that not specifying normalization rules is a security hole
> (e.g., allowing an attacker to gain unauthorized access to a node). Just
> because we should've done this years ago doesn't mean we can fix it now.
Hm, okay, I don’t seem to understand the attack vector. Could you spell it out
more clearly to me?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the Standards