-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/6/09 12:40 PM, Philipp Hancke wrote: > Peter Saint-Andre schrieb: >> On 7/6/09 12:09 PM, Philipp Hancke wrote: >>> Peter Saint-Andre schrieb: >>>> As discussed recently on the list, I've updated XEP-0175 (Best >>>> Practices >>>> for Use of SASL ANONYMOUS) to provide more detailed recommendations >>>> regarding usage restrictions for anonymous users. >>>> >>>> http://xmpp.org/extensions/tmp/xep-0175-1.2.html >>>> >>>> http://svn.xmpp.org:18080/browse/XMPP/trunk/extensions/xep-0175.xml?%40diffMode=u&%40diffWrap=s&r1=1675&r2=3308&u=3&ignore=&k= >>>> >>>> >>>> >>> One additional thing that might make banning those users in a room >>> easier: >>> Encode the originating ip address in the resource using either a hash >>> or a symmetric encryption algorithm so that whenever a user connects >>> from the same IP, they get the same resource (or resource-prefix). >>> In IRC, this enables room operators to ban a specific IP without >>> disclosing the address itself. >> >> That seems sensible. > > heh... xmpp should be more like irc ;-)
Well, in fact, if the server doesn't allow outbound communication (to remote domains) then the server can correlate the IP addresses of banned anonymous users and come to its own conclusions -- there is no real need for the server to transform the IP address into the resource identifier because the room admins don't need to know or care about IP addresses. That logic changes if you allow an anonymous user to communicate with entities on remote servers. But then it's a more general problem, and not limited to anonymous users. >> Something like cryptopan? >> http://www.cc.gatech.edu/computing/Telecomm/projects/cryptopan/ > > Nice. That's way more advanced than what some ircds do. > What ircds usually did is map the ip/hostname to > cryptothing.provider.tld > This enables room operators to ban whole providers or even countries > with a single command. > cryptopan sounds like a good idea, but might be too difficult for the > average room operator. I think we're now into a MUC issue, not a SASL ANONYMOUS issue... Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpSSM8ACgkQNL8k5A2w/vzwtQCfWL1kpaVz3+OffAUc7U+bkklA wlUAoJBu8VXQ84A2KlMUc0g4ZzsoIxp/ =3G2o -----END PGP SIGNATURE-----
