Dave Cridland typeth: | Let me also clarify - if we could send IM presence once over a link | and have fan-out controlled by a foreign domain, I'd be happy with | it. But I don't think that's a practical option, given that it | requires greater trust between domains, and prevents various other | forms of control. FWIW, the same applies to PEP versus general | PubSub, I think, and these are the same protoclo, but with different | controls.
It's trivial to modify a server in such a way that it will report all presence of all peers of its users to an administrator or to modify a server in such a way that it reports probes from wannabe-invisible users. So you already *are* trusting other servers. Having the recipient server manage subscriptions instead of you "remote controlling" them is no new security issue. The security issue is elsewhere. In order to deliver presence to the right people the server must additionally store subscription acknowledgments from the peers (presence type=subscribed) and not let the local user or client infiltrate other people's presence slaves (in a multicast master/slave architecture) by fiddling with subscription state=to. Any server implementor who adds multicast to her server must also provide for this subscription safety mechanism, including silently removing a recipient, if this is what the peer expects. 'stanza repeaters' seems to be the right kind of approach here with all the special requirements XMPP presence has. - _// Carlo v. Loesch _// http://symlynX.com/
