On 05/14/2011 01:52 AM, Glenn Maynard wrote: Hi,
> If anyone has thoughts on the discovery issue, they'd be a help. I > implemented xbosh service discovery recently, but the security issues > are a concern. I don't see any possible fix short of a redesign of > XEP-0156 without using DNS, or treating all "cross-origin" non-DNSSEC > TXT lookups as insecure (eg. triggering the same type of UI as > certificate failures) which would severely limit BOSH autodiscovery. An XHR client will also be bound to the same origin principle. So the domain checking (and the leap of faith in that server) already happened there. But for other clients your point is valid. Because of the rapid adaptation of DNSSEC, I believe it would be best to let DNSSEC fix the problem, and not try to bring an intermediate fix in place in XEP-0156. That would be the right place to fix the issue anyway, because it started with not trusting DNS in the first place. best wishes, Winfried
