[JDEV] jabber:iq:search question
Peter Saint-Andre
stpeter at jabber.org
Tue Dec 10 11:44:42 CST 2002
I've taken this discussion to the XMPP list.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php
On Tue, 10 Dec 2002, David Waite wrote:
>
> On Monday, December 9, 2002, at 05:51 PM, Peter Saint-Andre wrote:
>
> > Hmm, does this technique rely on sending multiple IQ results with the
> > same
> > 'id' attribute? If so, that's in violation of the XMPP core doc, which
> > specifies that the value of an ID must be unique within a stream (this
> > is
> > consistent with the XML spec).
> >
> This is not correct - there is no way that you can enforce ID
> uniqueness since the IDs are determined by multiple schemes by multiple
> endpoints. I cannot determine if two parties will send me a message
> stamped with the same 'id' attribute. I also cannot prevent two
> info-query requests against my client from different parties (which
> will require me to respond with the same 'id' attribute twice for
> correctness, once to each party).
>
> When it comes down to it, the ID is just a transactional cue for the
> benefit of clients, since all communication is asynchronous.
>
> Or in other words, this requirement in draft-ietf-xmpp-core is
> incorrect; we do not meet it now and it is impossible to meet in either
> direction of the XML stream. Traffic originating from an endpoint
> SHOULD have unique id attributes, but there is nothing else in the
> system which will fail if they don't.
>
> -David Waite
>
>
> > Peter
> >
> > --
> > Peter Saint-Andre
> > Jabber Software Foundation
> > http://www.jabber.org/people/stpeter.php
> >
> > On Sun, 8 Dec 2002, Sebastiaan 'CBAS' Deckers wrote:
> >
> >> Is there any implementation of a public service using this technique?
> >> My client supports these sequential results however I could never test
> >> this in the real world.
> >> This is an interesting protocol design choice, but it raises security
> >> concerns. When all you have to rely on is the "id" attribute, how
> >> much
> >> chance is there that someone can spoof results? Or even by accident,
> >> as
> >> most libraries don't generate random id's.
> >>
> >> --
> >> Sebastiaan
> >>
> >>
> >> Peter Saint-Andre wrote:
> >>> If you have implemented jabber:iq:search in your software AND you are
> >>> using the feature that enabled you so receive multiple IQs for large
> >>> result sets, I would appreciate it if you could let me know. When I
> >>> documented jabber:iq:search in JEP-0055, I left this out because I
> >>> have
> >>> not been able to find implementations. But if there are
> >>> implementations, I
> >>> may add it in.
> >>>
> >>> Thanks.
> >>>
> >>> Peter
> >>>
> >>> --
> >>> Peter Saint-Andre
> >>> Jabber Software Foundation
> >>> http://www.jabber.org/people/stpeter.php
> >>
> >> _______________________________________________
> >> jdev mailing list
> >> jdev at jabber.org
> >> http://mailman.jabber.org/listinfo/jdev
> >>
> >
> > _______________________________________________
> > jdev mailing list
> > jdev at jabber.org
> > http://mailman.jabber.org/listinfo/jdev
> >
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>
More information about the JDev
mailing list