On Tue Oct 4 22:37:12 2011, XMPP Extensions Editor wrote:
1. Is this specification needed to fill gaps in the XMPP protocol
stack or to clarify an existing protocol?
Yes.
2. Does the specification solve the problem stated in the
introduction and requirements?
In the vast majority of cases, yes.
3. Do you plan to implement this specification in your code? If
not, why not?
Yes, I'm currently updating the client implementation in Gajim to
match this spec. I am aware of the M-Link implementation in some
detail as well.
4. Do you have any security concerns related to this specification?
The specification is entirely concerned with security, therefore my
concerns below are security concerns.
5. Is the specification accurate and clearly written?
Yes, in general.
My main concern in reading it with fresh eyes is the discussion on
labelling in PubSub.
In XEP-0045, it's pretty clear that rooms can have clearances (and
therefore a set of suitable labels), and the parallel in XEP-0060
would be that nodes would have clearances. Indeed, they do in M-Link.
However, because the catalogue request logic is on a jid granularity,
this means that clients are unable to discover whether a given node
should have a given item (with label) published to it. The security
implication here is that a client may unwittingly send a publication
of data too sensitive for the node.
In addition, I feel that the label should be extracted from the
<item/> and, when broadcast, sent at the top-level, in order to allow
for servers to process them through the ACDF in a uniform manner.
I would note that while XEP-0258 support in MUC and in general
messaging exists in the wild, PubSub (including PEP) XEP-0258 work
has yet to be done; I suggest that this is stripped from this XEP and
moved to another.
If this were done it would leave the rest of the document suitable
for Draft; otherwise I think there's more work to be done in
stabilizing the XEP-0060/XEP-0258 interaction.
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
