-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/13/09 6:45 PM, Andy Skelton wrote:
> XEP-0175 1.2rc1, which states: > > "After a client authenticates using the SASL ANONYMOUS mechanism, it > MUST bind a resource; the server SHOULD ignore the resource identifier > provided by the client (if any) and instead assign a resource > identifier that it generates on behalf of the client." > > Why shouldn't the server bind the resource provided by the client? The idea (perhaps questionable) is that many or most XMPP servers assign all anonymous users to an account like [email protected] or perhaps literally [email protected]. A repeat user could then use the same full JID over and over, like [email protected]/anotherUUID, to essentially emulate a registered account. Another possible annoyance would be to repeatedly use obnoxious resource identifiers (remember, these are anonymous, unknown users) for spamming or personal attacks, like: [email protected]/This Is The Medicine You Need! or [email protected]/stpeter-is-an-idiot Whether any of these attack vectors are worrisome is another matter. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqEuK4ACgkQNL8k5A2w/vxVSACfY2w+0+s5dYAsPqXIwSWGuEam rdsAn0HyZ0Gu+7UVFw5mGUDMattK4c7h =JH89 -----END PGP SIGNATURE-----
