On Saturday 21 February 2009 10:02:36 Jiří Zárevúcký wrote: > Hello. The draft states following: > > "For initial stream headers in client-to-server communication, if the > client knows the XMPP identity of the principal controlling the client > (typically an account name of the form <n...@domain>), then it MUST > include the 'from' attribute and MUST set its value to that identity." > > However, the first initial stream is unencrypted. This would send > user's identity through an insecure connection. Perhaps it's not a big > security issue (presuming user is not absolutely paranoid), but since > there is no benefit of this at all, I think it isn't such a good idea > to send the identity with the header.
Like other fields used before securing the connection, it is useful as a hint. However, no sensitive transactions should occur until the identity is proven. The identity will be secured during TLS/SASL negotiation, and any other fields are repeated in a new <stream>, so there's no risk of trusting insecure data. -Justin
