On 15 July 2015 at 16:12, Florian Schmaus <[email protected]> wrote: > On 15.07.2015 10:12, Dave Cridland wrote: > > Can we add something into the security considerations for this document > > which discusses the exposure of the jid in "by", please? > > I had the same though, but then discarded adding such a consideration > because the only JIDs worth protecting are the ones of clients. And > those don't have a need to set the 'by' value. > > If you considered it, then it's a security consideration. ;-)
More seriously, it exposes non-terminal jids in a manner that may or may not leak something to an attacker - it may not ever leak anything useful in the ways you've considered using it, but a protocol requiring id stamping of some intermediary that's otherwise not exposed could be problematic. > But, adding an explicit statement about (client) JID leaks can't hurt. > Noted for the next version bump of XEP-SID. > > - Florian > >
