On 2018/03/09, Georg Lukas wrote: > 1) the Security Considerations spoil all the fun of automatic account > transfers: > > | In order to prevent other users from maliciously altering contacts the > | client SHOULD NOT automatically subscribe to a <moved/> JID when it > | receives an unsubscribe and SHOULD NOT automatically unsubscribe to a > | <moved/> JID when it receives a subscribe. > > I think that if our contact proves ownership of both accounts by > publishing a <moved/> element on each, containing the respective other > JID, there should be no security problems with automatically replacing > the contact's JID on our roster. > > While in theory, someone with short-term access to our account will be > able to permanently steal all our contacts, I would consider that > account as fully compromised anyway, and the attacker can well perform > any other kind of impersonation or social engineering attack they want.
I'm all in favour for this! -- Maxime “pep” Buquet
signature.asc
Description: PGP signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
