Mike - > I agree, and I strongly recommend against the use of JEP-0025 as-is > for any remotely sensitive purposes. > > We have been aware of the security problems for two months and have > proposed multiple viable solutions, but nothing has been fixed. This > JEP either needs to be fixed or withdrawn.
*disclaimer: I am employed by Jabber, Inc* :) JEP-25 is INFORMATIONAL! It won't be withdrawn as it's not standards track. The whole idea behind informational JEPS is that they allow companies (like Jabber, Inc.) to document the protocol extensions that they build, so other people in the jabber community can use and build other products to them (if they so desire). It's unlikely that this JEP will change since it reflects a currently deployed product (good bad or ugly :). Someone needs to take JEP-25 as a base, and create a new STANDARDS track JEP that fixes the security holes in the current implementation and submit it. Then client authors (like myself) can choose to implement either JEP-25, the new standards JEP, or both. Hope this makes sense. Peter M. _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
