[Standards] LAST CALL: XEP-0359 (Unique and Stable Stanza IDs)

Florian Schmaus flo at geekplace.eu
Sun Nov 25 22:43:38 UTC 2018


On 14.11.18 13:16, Holger Weiß wrote:
> * Georg Lukas <georg at op-co.de> [2018-11-14 12:47]:
>> * Holger Weiß <holger at zedat.fu-berlin.de> [2018-11-14 10:41]:
>>> * Georg Lukas <georg at op-co.de> [2018-11-13 18:29]:
>>>> §3 point 2 should probably be changed from
>>>>
>>>> | Stanza ID generating entities, which encounter a <stanza-id/> element
>>>> | where the 'by' attribute matches the 'by' attribute they would otherwise
>>>> | set, MUST delete that element even if they are not adding their own
>>>> | stanza ID.
>>>>
>>>> to
>>>>
>>>> | Entities which receive a stanza with a <stanza-id/> element
>>>> | where the 'by' attribute matches the entiy's own JID, MUST delete that
>>>> | element even if they are not adding their own stanza ID.
>>>
>>> I guess the former wording was chosen deliberately to avoid the
>>> ambiguity about who exactly the "entities wich receive a stanza" might
>>> be.  §3, point 7 says: "For one-on-one messages the assigning entity is
>>> the account.  In groupchats the assigning entity is the room."  With
>>> your wording, readers might assume the entity is the server itself.
>>
>> Maybe then the wording needts to be "where the 'by' attribute matches a
>> JID that the entity is responsible for"? I just want to prevent somebody
>> injecting stanzas into my administrative domain with one of my JIDs.
> 
> So this isn't just about wording but about semantics?  I.e., you want
> the XEP to mandate the server to strip all stanza IDs with by=$JID,
> where $JID is any user or server JID the server feels responsible for?
> 
> In that case we'd disagree.  The XEP should only mandate stripping of
> stanzas for those JIDs on which the server announces XEP-0359 support,
> which is what the current wording is trying to do.  Any other JIDs are
> out of scope.

I'd like to hear more about the reasons for your disagreement. I am not
entirely sure if participants in this discussion always talked about the
exact same thing. Maybe a concrete example would help:

Server 'example.org' receives stanza from 'foo.org' with a <stanza-id
by='user at example.org' id='…'>

Should the 'example.org' server sanitize this <stanza-id/> or not? Which
JIDs exactly do you think are out of scope? Could you give an example?

- Florian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20181125/d8fc216e/attachment.sig>


More information about the Standards mailing list