[
https://issues.apache.org/jira/browse/WAVE-7?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ali Lown updated WAVE-7:
------------------------
Component/s: Protocol
> Improved authentication and security
> ------------------------------------
>
> Key: WAVE-7
> URL: https://issues.apache.org/jira/browse/WAVE-7
> Project: Wave
> Issue Type: Bug
> Components: Protocol
> Priority: Minor
> Labels: security
>
> From reading the protocol spec, it appears that UCE (Or Unsolicited
> Commercial Waves (UCW)?) could still be a problem. I have read in the spec
> that the underlying XMPP connections will be secured using TLS, but perhaps
> we should go one step further and require validation of domain certificates
> in order to prevent anonymous and ubiquitous junk-mail which has plagued
> e-mail systems for years. One possible answer might be to use a resource
> record in DNS to store the public key for a wave-domain and require the
> validation of the certificate in order for wavelets to propagate between
> wave-domains. An additional measure might be a methodology for allowing
> wave-domains to validate users when wavelets are propagating. So,
> wave-domains would be ensured that the source of the wavelet is from the
> indicated server and that the user account is a valid user in good standing
> prior to allowing that user to participate in a wave. This would make
> current UCE/UCW all but impossible because every user would have to be
> validated and could be individually denied. Bot nets would have no chance
> because they cannot be validated. Mass accounts created on public servers
> would be quickly sniffed out and locked upon suspicion of spamming. It
> would solve many of the problems of modern messaging.
> ---
> Issue imported from http://code.google.com/p/wave-protocol/issues/detail?id=5
> Owner: anthonybaxter
> Label: Type-Defect
> Label: Priority-Medium
> Stars: 5
> State: open
> Status: New
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
