On Thu, Feb 7, 2013 at 11:49 AM, Winfried Tilanus <[email protected]>wrote:
> When searching on identifiers like phone numbers or e-mail addresses, > they have to be reliable, otherwise the risk of identity theft or > nonsense results is too big. Though an hosting node can verify an e-mail > address or even a (mobile) phone number, there is no way guarantee the > hosting node did so correctly. The only identifier that might be > verified, by federation, is the jid. So I think the e-mail addresses or > the phone numbers should not be searchable, except when it is on the > same domain or the server admins trust the other domain in this. When de > domain is not trustend, the jid (and the associated data) can be > verified by federation, so imho it is essential to federate with the > hosting node before presenting any search results. > Right. Verification seems to be one of the key issues here. Don't know how to solve it yet but maybe one could go with a crowd-sourced trust model [1] if that works. This of course only works if some contacts of the user new to the party already are in this distributed database. [1] http://wiki.xmpp.org/web/Secure_Distributed_JID_Discovery#Alternative_To_Plain_Verification
