Peter Saint-Andre <[EMAIL PROTECTED]> wrote: > So start writing. :P
It was asked for possible solutions for that. I just named a few :). > Hmm. Mostly I see that as the server's problem -- it can collect that > information from its own users. If it comes across a hash that it > can't gather locally, then you're right that it needs to figure out > the supported features by pinging a user at "server2", presumably > based on whether the user has a contact at server1. But the user's > client needs to be careful about replying to such requests -- if it > comes from the server associated with a contact, then there's no real > problem (because the contact's server already has access to the > user's presence traffic anyway). But if the disco#info request comes > from a server that is totally unknown to the user's client because > the user has no contacts at that domain (e.g., "attacker.com"), then > the user's client needs to return a service-unavailable error. IMHO > this is clear from XEP-0030, but we can add some text about it to > XEP-0115 if people think that would help. An attacker could still create an account on the server and then add [EMAIL PROTECTED], thus it would seem legitimate. -- Jonathan
signature.asc
Description: PGP signature
