On Jul 27, 2009, at 9:39 AM, Pedro Melo wrote:
On 2009/07/27, at 16:15, Kurt Zeilenga wrote:
On Jul 27, 2009, at 3:19 AM, Pedro Melo wrote:
On 2009/07/23, at 23:29, XMPP Extensions Editor wrote:
In example 8, the 'to' attribute is misplaced, should be in the
top level <iq> stanza. Also present in example 9, maybe it should
be a from there?
No. The client is requesting its server return the catalog for
example.com. Moving the to= to the <iq> stanza would imply the
client is requesting example.com return its catalog.
One thing that's not clear in the XEP is the expectation that
clients are to generally ask their server for catalogs (even of
remote jids). This is done for a couple of reasons. One, it
allows their local server to translate the remote catalog into the
local policy. Second, it allows the local server to filter the
remote catalog based upon the requestor's clearance (the remote
server is unlikely to know what clearance the remote (to them)
has). I'll try to add some text here.
Is that wise?
In short, yes.
I mean I understand the reasons, but usually in XMPP we don't let
JID X provide authoritative information about JID Y to prevent
spoofing or MITM attacks.
A client wants to know what labels it can use in messages sent to a
particular JID. These messages may pass through multiple servers,
each of which can be operating under a different policy and
practices. Asking the server hosting a particular JID may provide a
completely useless answer, as the labels offered by hosting server may
be issued under a different policy and/or of a syntax not understood
by the client. That is, the foreign catalog may need translation into
the local policy. Consider for instance the case where the client's
server has a policy that all messages directed to JIDs hosted by some
foreign server carry a particular only-locally-valid label (regardless
of what the JID's hosting server requires). The only useful answer to
this client's catalog request is a catalog with that particular label.
-- Kurt
