On Jul 27, 2009, at 9:39 AM, Pedro Melo wrote:
On 2009/07/27, at 16:15, Kurt Zeilenga wrote:
On Jul 27, 2009, at 3:19 AM, Pedro Melo wrote:
On 2009/07/23, at 23:29, XMPP Extensions Editor wrote:
In example 8, the 'to' attribute is misplaced, should be in the
top level <iq> stanza. Also present in example 9, maybe it should
be a from there?
No. The client is requesting its server return the catalog for
example.com. Moving the to= to the <iq> stanza would imply the
client is requesting example.com return its catalog.
One thing that's not clear in the XEP is the expectation that
clients are to generally ask their server for catalogs (even of
remote jids). This is done for a couple of reasons. One, it
allows their local server to translate the remote catalog into the
local policy. Second, it allows the local server to filter the
remote catalog based upon the requestor's clearance (the remote
server is unlikely to know what clearance the remote (to them)
has). I'll try to add some text here.
Is that wise? I mean I understand the reasons, but usually in XMPP
we don't let JID X provide authoritative information about JID Y to
prevent spoofing or MITM attacks.
I note that simply asking the server hosting Y for information about Y
doesn't in itself prevent spoofing or MITM attacks.
But another way to simply respond to your comment is to note that the
JID X is not being authoritative for Y, it's being authoritative for
what its willing to allow in the context of Y.
I guess that in these environment, if you have a compromised server
you are already in a lot of trouble though...
Best regards,
