On Sonntag, 4. März 2018 17:02:07 CET Peter Saint-Andre wrote: > If we want to specify this, I would recommend the UsernameCaseMapped > profile defined in RFC 8265. > > However, there's a twist: if a node ID can be a full JID, then do we > want to apply the normal rules of RFC 7622 to all the JID parts, instead > of one uniform profile such as UsernameCaseMapped to the entire node ID? > For instance, the resourcepart of a JID is allowed to contain a much > wider range of Unicode characters than is allowed by the > UsernameCaseMapped profile of the PRECIS IdentifierClass (which we use > for the localpart). > > Given that a node ID can be used for authorization decisions, I think > it's better to be conservative in what we accept (specifically, not > allow the wider range of characters in a resourcepart because > developers, and attackers, could get too "creative").
I would argue that adding those restrictions / any kind of string prepping to XEP-0060 or XEP-0030 nodes is (a) too late and (b) ambiguous at least, as you mentioned (depending on the data). I’d also argue that nodes aren’t shown or typed into a field by users normally, so I would not worry about that kind of normalization here. If a specific XEP-0030/XEP-0060-based protocol needs more guarantees, I think those can be defined there. kind regards, Jonas
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
