[Standards] XEP-0175 (was: Re: Anonymous SASL and Presence)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/30/09 8:37 AM, Dave Cridland wrote: On Tue Jun 30 15:33:35 2009, Matthew Wild wrote: It does. Anonymous users get given a unique (~random) JID, with an empty roster. So you /can/ send presence, you just either have to send it to a known address, or add people to your temporary roster first. FWIW, although I agree that's what *should* happen, nothing in the specifications available says that's what does. Perhaps an update to include such things in XEP-0175 is in order? Indeed, aligning XEP-0175 more closely with RFC 4505 might be helpful. For example, RFC 4505 says that typically an anonymous user will have restricted access but it seems to leave the definition of restricted access up to the application protocol. The security considerations section of RFC 4505 talks about denial of service attacks and the like, so we might want to discuss such issues in XEP-0175 a bit more than we do now. Et cetera. Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpM2jEACgkQNL8k5A2w/vyFEgCfQA/1E8yuJimHfiUDuwHpimvD KewAn0ngbC4aJw74joDBEJgeKe8E4yam =smon -END PGP SIGNATURE-
Re: [Standards] XEP-0175 (was: Re: Anonymous SASL and Presence)
On Thu, Jul 2, 2009 at 5:02 PM, Peter Saint-Andrestpe...@stpeter.im wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/30/09 8:37 AM, Dave Cridland wrote: On Tue Jun 30 15:33:35 2009, Matthew Wild wrote: It does. Anonymous users get given a unique (~random) JID, with an empty roster. So you /can/ send presence, you just either have to send it to a known address, or add people to your temporary roster first. FWIW, although I agree that's what *should* happen, nothing in the specifications available says that's what does. Perhaps an update to include such things in XEP-0175 is in order? Indeed, aligning XEP-0175 more closely with RFC 4505 might be helpful. For example, RFC 4505 says that typically an anonymous user will have restricted access but it seems to leave the definition of restricted access up to the application protocol. The security considerations section of RFC 4505 talks about denial of service attacks and the like, so we might want to discuss such issues in XEP-0175 a bit more than we do now. Et cetera. Based on this and discussion on the topic the other day in jdev, I just made a commit to Prosody to disable s2s by default for anonymous users. This can of course be overridden by admins if they so choose, but it seems a very sane default for me. I wouldn't be against adding this recommendation to XEP-0175. Matthew
