On 3/4/18 10:54 AM, Jonas Wielicki wrote: > On Sonntag, 4. März 2018 17:02:07 CET Peter Saint-Andre wrote: >> If we want to specify this, I would recommend the UsernameCaseMapped >> profile defined in RFC 8265. >> >> However, there's a twist: if a node ID can be a full JID, then do we >> want to apply the normal rules of RFC 7622 to all the JID parts, instead >> of one uniform profile such as UsernameCaseMapped to the entire node ID? >> For instance, the resourcepart of a JID is allowed to contain a much >> wider range of Unicode characters than is allowed by the >> UsernameCaseMapped profile of the PRECIS IdentifierClass (which we use >> for the localpart). >> >> Given that a node ID can be used for authorization decisions, I think >> it's better to be conservative in what we accept (specifically, not >> allow the wider range of characters in a resourcepart because >> developers, and attackers, could get too "creative"). > > I would argue that adding those restrictions / any kind of string prepping to > XEP-0060 or XEP-0030 nodes is (a) too late and (b) ambiguous at least, as you > mentioned (depending on the data).
I would argue that not specifying normalization rules is a security hole (e.g., allowing an attacker to gain unauthorized access to a node). Just because we should've done this years ago doesn't mean we can fix it now. > I’d also argue that nodes aren’t shown or typed into a field by users > normally, so I would not worry about that kind of normalization here. So that only automated attackers can succeed? :-) > If a specific XEP-0030/XEP-0060-based protocol needs more guarantees, I think > those can be defined there. No, this needs to be done at the lowest level we can manage. Pushing this off to extensions just means we'll have inconsistent approaches. Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
