> …this is the line of thought that neglects that we are working on a
> federated system where we can not assume that every actor is faithful.
> ID assigned by the sending entity can potentially be observed by another
> malicious actor and be reproduced ("spoofed").
There is nothing stopping me from reproducing your stanza ids elsewhere, but
that causes no problem unless there is interaction with an entity who already
received a stanza with such an id - which it should be checking for anyway,
regardless of 'by' value.
> Referencing messages via such IDs is hence worrisome at best, or simply
> insecure at worst.
Referencing messages by any non-encrypted value (or even message content, for
that matter) is simply insecure; there is no way around that in a publicly
federated network where any hop could potentially alter a message.
> <stanza-id/> tries to mitigate this by the 'by' attribute, which denotes
> the entity that assigned the ID, for example a MUC. If the MUC behaves
> standard compliant, then it will reject (or at least sanitize) incoming
> messages containing a <stanza-id/> with a 'by' attribute denoting its
> from the MUC.
Let's assume that every hop appends its own <stanza-id/> because you can never
fully trust that the previous one wasn't altered - which stanza-id does a
recipient use? The only stanza-id you can reliably trust to be 'real' is the
one you received the stanza from, and so all previous stanza-ids should be
ignored, in which case each hop may as well strip and replace them with its
own. In that case, you already know who the stanza-id is 'by' and it is the
only one.
> Yes, MUCs could also spoof IDs, but at least you only have to trust the
> MUC and not everyone in the federated network to behave nice.
The MUC is the originator of the stanza in this case, so it should assign its
own unique message id. The original sender, who directed the MUC to forward the
message to room participants, will want to match up its sent message with the
one it receives from the MUC - so then it's useful for the MUC to inform (only)
the original sender "this was the id you used when you sent me this message" in
the same forwarded message.
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
_______________________________________________
