Hi,
On Apr 3, 2008, at 12:32 PM, Remko Tronçon wrote:
If I give too much relevance to the user nickname or other
information in
control of the contact, then I think we are opening up a lot of
avenues of
attack. Just showing the avatar is problem enough.
I agree, automatic naming of contacts is quite dangerous. Still, users
ask us for that feature quite regularly. I wonder what we could do for
them. Maybe some semi-automatic way of updating the nickname where the
user has to explicitly request a nickname update could work, although
I'm not sure if it's worth the extra menu item (if you can see the
nickname in 'more info', you could ).
What about a "suggested" name feature?
I'm not against the idea of suggesting a name for a new contact,
based on contact information (like nickname, vcard, or user-profile).
I'm just saying that we should at least mention to client developers
the risk of too much trust on remote information, regarding spoofing
attacks.
But anyway, that's a separate issue. If we agree that it's bad
practice to hide the real roster name from the user, I guess
meta-contacts based on roster name is an easy enough solution.
Whatever the users chooses to the name of the roster item, be it
something that he typed himself, or something suggested based on the
contact information, I think the meta-contact xep should use the
local roster item name attribute.
One further point about the current meta-contacts XEP: the amount of
data flowing back and forth when we change a meta-contact becomes
very large fast. If we keep on this route, and with PEP, it might be
worth to have a different node per meta-contact.
Best regards,
--
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: [EMAIL PROTECTED]
Use XMPP!
