[JDEV] servers specifying from fields
Mathew A Johnston
johnston at megaepic.com
Thu Mar 1 18:29:50 CST 2001
With regards to my last message:
I've been told that the from field on messages is set by the server
which the client used to send the message and that this was done to help
prevent users from forging from addresses. It is my opinion that this
should never be done by the server, as it hardly reduces the chances of
forged messages (any user can run their own server). It also greatly
complicates the proposal that I just put forward about encrypting whole
messages to have them parsed after decryption by the receiving client. If
an encrypted <message> tag passes by the server, the server can not add
the from attribute, and if the user was not allowed to supply their own
from attribute, there wont be a from attribute on the received message.
A HACK around this would be for the decrypting client to assume the same
from attribute as was attatched to the encapsulating message.
If you want to assure the integrety and source of a message, use the
message signing facilities provided by the jabber:x:signed namespace.
Mathew Johnston
More information about the JDev
mailing list