Hello, in the past, implementations of certain XEPs have been susceptible to security vulnerabilities, and it would be great if we could prevent future implementors from repeating the same errors.
On the one hand, we already have progressively strong wording in our Security Considerations, and are aiming to add anti-examples to make the corner cases and implications more clear, e.g. https://xmpp.org/extensions/xep-0280.html#example-11 On the other hand, there are some developers that just won't read the spec, merely copy&paste from the examples until something works. A thing that does work in the positive case, however, isn't guaranteed to also prevent a negative case from working. Therefore, and after some discussions on the xsf@ MUC, I have prepared a new XEP element `<cve/>` that allows the XEP author to add a visually distinctive reference to previous failures of implementing that XEP properly. The goals of this new element are: - provide a clear warning to developers when reading a XEP - have a standardized syntax for CVEs that we can later use for additional benefits While the `<cve/>` element can be placed within any section of the XEP text, later on it becomes much easier to find CVE references, and to add them e.g. to the XEP header or to some place on our web site. Syntax example (from https://github.com/xsf/xeps/pull/1055): <cve id="2017-5589" url="https://rt-solutions.de/en/cve-2017-5589_xmpp_carbons/";> Multiple XMPP Clients User Impersonation Vulnerability </cve> This will be rendered as shown here: https://op-co.de/tmp/xep-0280.html#security Questions for bike shedding: - Should there be a title and a distinct text block to provide a summary (who should write that summary then?) - Do we need an anchor so that we can link to a CVE reference? - Should there be more visual cues (a big red warning sign? blink? marquee?) - Will that work across all of our output formats? I only tested HTML. Kind regards, Georg
signature.asc
Description: PGP signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
