On 9/14/11 4:31 PM, "Waqas Hussain" <[email protected]> wrote:
> An entity which understood double verify would have the option to > either be vulnerable to poisoning, or participate in IQ floods. It's > this that I'm against. Presumably, the new XEP would recommend that you negatively cache in the case that it rejected an unverified caps result. > So poisoning succeeds. And what happens with these logs? How do you > find the poison needle in the haystack of legitimate messages? I hope > you don't want admins to do this... You have the choice. All of your clients can just reject caps that don't have the second hash, and negatively cache them. Some of my clients will want to do backward-compatibility for the next year or two, but that's a risk I'm willing to take on behalf of my customers. -- Joe Hildebrand
