-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/13/09 7:43 PM, Andy Skelton wrote: > On Thu, Aug 13, 2009 at 8:15 PM, Brian Cully<[email protected]> wrote: >> On 13-Aug-2009, at 21:06, Peter Saint-Andre wrote: >>> Whether any of these attack vectors are worrisome is another matter. >> I tend not to think so. In the case where a bare JID is reused (e.g., >> "[email protected]") then it's acceptable to generate a resource (thus, >> the SHOULD should become a MAY in the XEP), and it comes down to a >> particular server implementation and how it generates bare JIDs. In the case >> where the bare JID is truly unique to any given stream then there's no >> reason to generate a resource. > > I would also like to see SHOULD replaced by MAY in that sentence. > Other than that I like the changes.
In my working version of the spec, I now have: On public servers where the same JID is reused for multiple anonymous sessions, the server MAY ignore the resource identifier provided by the client (if any) and instead assign a resource identifier that it generates on behalf of the client. OK? Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqe2AEACgkQNL8k5A2w/vyhEgCfZn/o2z9pK1+Dm4YK791qt9aa PsMAoIKxnUmGrnI0edva/o/tNCszOJCR =Ufzf -----END PGP SIGNATURE-----
