[JDEV] Implementation of JEP-0025 (Jabber HTTP Polling)
David Waite
mass at akuma.org
Thu Jun 6 14:35:11 CDT 2002
An informational JEP documents an existing implementation. It will not
be changed so it no longer maps the existing implementation. I agree
with Peter Millard, we need a separate, standards-track version. If you
feel that we need to make it clearer that this particular JEP is
informational, that is different, and we can talk about that on the
standards-jig mailing list.
-David Waite
Michael F Lin wrote:
>I agree, unfortunately, we now have a new implementation based on this
>"informational" JEP which is vulnerable to the same security problems. So I
>propose that the informational vs. standards track distinction is pretty
>meaningless. Look at Matthias' comments - he used it for lack of anything
>better.
>
>The authors of this JEP, in my opinion, have the responsibility of fixing
>it. We have handed them several ways to do so. Jabber, Inc., in my opinion,
>has the responsibility of fixing its web client before its users using it
>for "financial applications" get burned.
>
>-Mike
>
>
>
>|---------+---------------------------->
>| | "Peter Millard" |
>| | <me at pgmillard.com|
>| | > |
>| | Sent by: |
>| | jdev-admin at jabber|
>| | .org |
>| | |
>| | |
>| | 06/06/2002 01:05 |
>| | PM |
>| | Please respond to|
>| | jdev |
>| | |
>|---------+---------------------------->
> >------------------------------------------------------------------------------------------------------------------------------|
> | |
> | To: <jdev at jabber.org> |
> | cc: |
> | Subject: Re: [JDEV] Implementation of JEP-0025 (Jabber HTTP Polling) |
> | |
> | |
> >------------------------------------------------------------------------------------------------------------------------------|
>
>
>
>Mike -
>
>
>
>>I agree, and I strongly recommend against the use of JEP-0025 as-is
>>for any remotely sensitive purposes.
>>
>>We have been aware of the security problems for two months and have
>>proposed multiple viable solutions, but nothing has been fixed. This
>>JEP either needs to be fixed or withdrawn.
>>
>>
>
>*disclaimer: I am employed by Jabber, Inc* :)
>
>JEP-25 is INFORMATIONAL! It won't be withdrawn as it's not standards track.
>The whole idea behind informational JEPS is that they allow companies (like
>Jabber, Inc.) to document the protocol extensions that they build, so other
>people in the jabber community can use and build other products to them (if
>they so desire). It's unlikely that this JEP will change since it reflects
>a
>currently deployed product (good bad or ugly :).
>
>Someone needs to take JEP-25 as a base, and create a new STANDARDS track
>JEP
>that fixes the security holes in the current implementation and submit it.
>Then client authors (like myself) can choose to implement either JEP-25,
>the
>new standards JEP, or both.
>
>Hope this makes sense.
>
>Peter M.
>
>_______________________________________________
>jdev mailing list
>jdev at jabber.org
>http://mailman.jabber.org/listinfo/jdev
>
>
>
>
>
>_______________________________________________
>jdev mailing list
>jdev at jabber.org
>http://mailman.jabber.org/listinfo/jdev
>
>
More information about the JDev
mailing list