Jonathan Schleifer wrote: > Peter Saint-Andre <[EMAIL PROTECTED]> wrote: > >> So start writing. :P > > It was asked for possible solutions for that. I just named a few :). > >> Hmm. Mostly I see that as the server's problem -- it can collect that >> information from its own users. If it comes across a hash that it >> can't gather locally, then you're right that it needs to figure out >> the supported features by pinging a user at "server2", presumably >> based on whether the user has a contact at server1. But the user's >> client needs to be careful about replying to such requests -- if it >> comes from the server associated with a contact, then there's no real >> problem (because the contact's server already has access to the >> user's presence traffic anyway). But if the disco#info request comes >> from a server that is totally unknown to the user's client because >> the user has no contacts at that domain (e.g., "attacker.com"), then >> the user's client needs to return a service-unavailable error. IMHO >> this is clear from XEP-0030, but we can add some text about it to >> XEP-0115 if people think that would help. > > An attacker could still create an account on the server and then add > [EMAIL PROTECTED], thus it would seem legitimate.
Sure. So choose your friends carefully. Peter -- Peter Saint-Andre https://stpeter.im/
