[JDEV] jabber:iq:oob problems

[Robert Temple]

I have two issues with "out of band" iq messages. 
(File Transfers)

1.  Server requires a Jabber ID resource.

The server doesn't respond the way I expected when I try to 
send a oob request to another user and I don't include the 
resource in the user's Jabber ID.  The server responds with 
an error message.  I expected this to work, because when I 
don't include a resource when I send an message, the server 
works fine.  Is this a bug?

Without the server's help with resources, its going to be 
hard to send someone files who is not on my roster.

2.  OOB/mini web server sequence of events 

There isn't any documentation on the sequence of events that
is supposed to happen between clients using oob iqs.  After
the one client sends the initial oob iq, when is the other
client supposed to respond with its own iq result?  Is it 
before, during or after they attempt to connect to the other 
clients mini HTTP server?

Its important that the sequence is done correctly to prevent
hackers from downloading the file that was meant for someone
else.  Its also important for it to be documented so that
different clients can interoperate!

I plan to do it this way:  the first client sends out the
oob iq, starts its mini web server and creates a unique,
virtual URI for the file.  At this point, the miniweb server
allows anyone to connect and send an HTTP request. It sends
the HTTP response headers, but it doesn't start sending the 
file until it gets an oob iq result back from the 2nd 
client.  If the 2nd client responds with an error but someone 
connected to the web server and requested that file, then the 
web server cuts off that connection.  Last, the HTTP server
only allows one request for the virtual URI.  Once a 
request has been made, it removes that URI from its list.

Does this sound like a reasonable and secure implementation?

Thanks,
Robert