On Thursday 15 January 2009 08:51:30 Peter Saint-Andre wrote: > As we discussed in the jdev room yesterday, I think you would use the > machine-name that you discovered via SRV lookup: > > http://logs.jabber.org/j...@conference.jabber.org/2009-01-14.html#16:01:06
Yes, this is the consensus. There is, however, some worry about DNS-based attacks, since the connect host is derived insecurely through the SRV lookup. One obvious but totally impractical fix is to use DNSSEC. Another is to use XEP-233. Yet another is to offer some explicit trust mechanisms in the client (e.g. a field where the user can type the connect host in advance, to mark as trusted). -Justin _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
