On Wed, Sep 23, 2009 at 3:40 PM, Waqas Hussain <[email protected]> wrote: > Quoting from one of my messages on the security list: > <feature var='http://jabber.org/protocol/muc'/> > can still be replaced by > <identity category='http:' type='/jabber.org' xml:lang='protocol' > name='muc'/> > which can be replaced by > <identity category='http:/' type='jabber.org' xml:lang='protocol' > name='muc'/> > Therefore, the security benefit of requiring minimum lengths is > questionable.
AFAIK, since features must be sorted, the only thing you can replace with an identity is the first feature with the last identity. If we insert a dummy feature or identity between them the problem could be avoided (besides possible implementation problems, but a dummy feature preceding all the others doesn't seem dangerous) by -- Fabio Forno, Bluendo srl http://www.bluendo.com jabber id: [email protected]
