Another thought: Any spec that triggers traffic to a third party JID based on other incoming traffic can be used for DOS amplification attacks. This one seems only somewhat vulnerable (max payload size of the pubsub element + max JID size bytes) but any of them can also become worse if implementations have flaws (such as naively copying the payload which could also result in any unknown garbage elements on the end being copied, making the attack much worse if vulnerable clients existed).
It may be worth mentioning this in the security considerations section, or providing a way to verify by a push from the old account instead of querying it. —Sam _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
