* XMPP Extensions Editor <[email protected]> [2017-02-09 00:07]: > 1. Is this specification needed to fill gaps in the XMPP protocol stack or to > clarify an existing protocol?
yes > 2. Does the specification solve the problem stated in the introduction and > requirements? yes, to approximately 90%. The last bullet point in §2 still has undefined corner cases for MUC-PMs which I'd like to address (as described later in this mail): | All clients that turn on the new protocol MUST be able to see all | outbound instant messaging messages from all of the resources of the | user, regardless of whether the clients for the other resources have | implemented the new protocol. > 3. Do you plan to implement this specification in your code? If not, why not? yes, already implemented. > 4. Do you have any security concerns related to this specification? yes. While the spec clearly addresses security in §11, CVE-2017-5589+[0] has shown that a dozen of developers independently introduced the same security vulnerability when implementing the XEP. Because of this, I suggest to add stronger and more clear wording regarding the security implications into §7 (or a dedicated "client processing" section) as well. There is a pending PR at https://github.com/xsf/xeps/pull/413 that should improve wording already, and I'd like to add some more warning words once it is merged. > 5. Is the specification accurate and clearly written? The spec is good, and some of the issues I have with it are going to be resolved with #413. However, I'd like to properly specify the MUC and MUC-PM interactions with Carbons, as I suggested two weeks ago in https://mail.jabber.org/pipermail/standards/2017-January/032048.html Specifically, I'd like to make explicit rules for how clients and servers should tag and interpret MUC-related messages. Please discuss the details and interop with 0045 in that thread. Georg [0] https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ -- || http://op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++ || gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ || || Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? || ++ IRCnet OFTC OPN ||_________________________________________________||
signature.asc
Description: Digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
