On Thu, Jul 2, 2009 at 5:02 PM, Peter Saint-Andre<stpe...@stpeter.im> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 6/30/09 8:37 AM, Dave Cridland wrote: >> On Tue Jun 30 15:33:35 2009, Matthew Wild wrote: >>> It does. Anonymous users get given a unique (~random) JID, with an >>> empty roster. So you /can/ send presence, you just either have to send >>> it to a known address, or add people to your temporary roster first. >> >> FWIW, although I agree that's what *should* happen, nothing in the >> specifications available says that's what does. >> >> Perhaps an update to include such things in XEP-0175 is in order? > > Indeed, aligning XEP-0175 more closely with RFC 4505 might be helpful. > For example, RFC 4505 says that typically an anonymous user will have > "restricted access" but it seems to leave the definition of restricted > access up to the application protocol. The security considerations > section of RFC 4505 talks about denial of service attacks and the like, > so we might want to discuss such issues in XEP-0175 a bit more than we > do now. Et cetera. >
Based on this and discussion on the topic the other day in jdev, I just made a commit to Prosody to disable s2s by default for anonymous users. This can of course be overridden by admins if they so choose, but it seems a very sane default for me. I wouldn't be against adding this recommendation to XEP-0175. Matthew