On 11/18/09 6:40 PM, Sean Dilda wrote: > I like the sound of this. But its worth remembering that this is only > one piece of the puzzle. Your solution makes the assumption that > everyone who runs an XMPP server is benevolent. Unfortunately, that's > not something we can assume. As such, a multi-pronged approach is > needed. Something like yours that can work with sites with benevolent > admins. And something like DNSBL will be needed to handle sites/domains > that are known to not handle the first method.
As I always say, we don't need to be perfect, just more difficult to attack than other networks. Part of raising the cost (mostly the cost in time) would involve requiring TLS with CA-issued certificates for s2s (perhaps we can get there eventually!). But as you say there is no magic solution, and we'll need to consider many different approaches. A while back I worked a bit on the concept of server reputations, and that might feed into DNSBLs -- e.g., your server starts out at zero points when it first comes on the network, and it gets more points for proper DNS SRV records, a CA-issued certificate, requiring TLS, support for XEP-0268, lack of open registration (IBR without CAPTCHAs), and other things we think are important. I would prefer something objective like that, rather than personalized DNSBLs with no standards. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
