[Standards] LAST CALL: XEP-0359 (Unique and Stable Stanza IDs)

Georg Lukas georg at op-co.de
Tue Nov 13 17:29:44 UTC 2018


* Jonas Schäfer <jonas at wielicki.name> [2018-10-20 13:55]:
> 1. Is this specification needed to fill gaps in the XMPP protocol
> stack or to clarify an existing protocol?

Unfortunately yes, as we can't just retroactively make the stanza @id
field work reliably.

> 2. Does the specification solve the problem stated in the introduction
> and requirements?

Yes.

> 3. Do you plan to implement this specification in your code? If not,
> why not?

Yes.

> 4. Do you have any security concerns related to this specification?

§3 point 2 should probably be changed from

| Stanza ID generating entities, which encounter a <stanza-id/> element
| where the 'by' attribute matches the 'by' attribute they would otherwise
| set, MUST delete that element even if they are not adding their own
| stanza ID.

to

| Entities which receive a stanza with a <stanza-id/> element
| where the 'by' attribute matches the entiy's own JID, MUST delete that
| element even if they are not adding their own stanza ID.

Obviously this can only be supported by entities that understand the
XEP, but otherwise a server might just pass on malicious stanza-id
elements from a client or remote entity.



Georg
-- 
|| http://op-co.de ++  GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N  ++
|| gpg: 0x962FD2DE ||  o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+  ||
|| Ge0rG: euIRCnet ||  X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y?   ||
++ IRCnet OFTC OPN ||_________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20181113/ec69c8d5/attachment.sig>


More information about the Standards mailing list