David Banes wrote: > > On 30/04/2008, at 7:39 AM, Peter Saint-Andre wrote: > >> David Banes wrote: >>> Just a note that maybe; >>> >>> 5. Security Considerations >>> >>> should mention privacy and identity theft, this would be one more piece >>> of personal information available on the net for bots to grab when >>> scanning social networking sites. >> >> That wouldn't help a spammer if the URL points to a pubsub node. But I >> suppose it might be a problem for MUC rooms and user accounts. >> >>> Maybe there should be a recommendation to encode the address? >> >> Like the MD5 hashes that FOAF uses for email addresses? > > I'm not familiar with FOAF yet but if they are creating an MD5 of an > address that points to a real mailto: uri to send email then yes that > sounds like a sensible approach.
Well they use SHA1, not MD5, but it's the same idea: http://xmlns.com/foaf/spec/#term_mbox_sha1sum >> Personally I think it's the responsibility of those who run the XMPP >> network to protect against abusive traffic natively, because people's >> JIDs will leak out no matter what we do. > > I see your point but coming from a security background I always think > it's much better to design in as much security as you can that's either > mandatory or recommended. > > We've moved away from displaying email addresses online to using contact > forms, maybe it's an idea obfuscate IM uri's now rather than later. Sure, so don't advertise your JID. If you want a hashed identifier, you can use a MicroID or somesuch: http://microid.org/ Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
