[JDEV] Implementation of JEP-0025 (Jabber HTTP Polling)

Ivan M. Hendricks ivan at microshock.com
Thu Jun 6 19:33:01 CDT 2002 

I was just about to announce one, as well,  but now wondering if I should
hold
off until there is an agreed upon resolution.  It's a Windows paltform
implementation.

Although insecure, it was the only solution for me as our Co. blocks just
about
everything.  I'm using Exodus as it supports Polling.

By the way, I found out about Jabber about 1 month ago and think it's a
GREAT
solution in that it is an open solution and, of course, that there have been
several gateways developed.

I'll have to jump over to jig to see what the outcome will be.

Cheers,

Ivan

----- Original Message -----
From: "David Waite" <mass at akuma.org>
To: <jdev at jabber.org>
Sent: Thursday, June 06, 2002 12:35 PM
Subject: Re: [JDEV] Implementation of JEP-0025 (Jabber HTTP Polling)


> An informational JEP documents an existing implementation. It will not
> be changed so it no longer maps the existing implementation. I agree
> with Peter Millard, we need a separate, standards-track version. If you
> feel that we need to make it clearer that this particular JEP is
> informational, that is different, and we can talk about that on the
> standards-jig mailing list.
>
> -David Waite
>
> Michael F Lin wrote:
>
> >I agree, unfortunately, we now have a new implementation based on this
> >"informational" JEP which is vulnerable to the same security problems. So
I
> >propose that the informational vs. standards track distinction is pretty
> >meaningless. Look at Matthias' comments - he used it for lack of anything
> >better.
> >
> >The authors of this JEP, in my opinion, have the responsibility of fixing
> >it. We have handed them several ways to do so. Jabber, Inc., in my
opinion,
> >has the responsibility of fixing its web client before its users using it
> >for "financial applications" get burned.
> >
> >-Mike
> >
> >
> >
> >|---------+---------------------------->
> >|         |           "Peter Millard"  |
> >|         |           <me at pgmillard.com|
> >|         |           >                |
> >|         |           Sent by:         |
> >|         |           jdev-admin at jabber|
> >|         |           .org             |
> >|         |                            |
> >|         |                            |
> >|         |           06/06/2002 01:05 |
> >|         |           PM               |
> >|         |           Please respond to|
> >|         |           jdev             |
> >|         |                            |
> >|---------+---------------------------->
> >
>---------------------------------------------------------------------------
---------------------------------------------------|
> >  |
|
> >  |       To:       <jdev at jabber.org>
|
> >  |       cc:
|
> >  |       Subject:  Re: [JDEV] Implementation of JEP-0025 (Jabber HTTP
Polling)                                                  |
> >  |
|
> >  |
|
> >
>---------------------------------------------------------------------------
---------------------------------------------------|
> >
> >
> >
> >Mike -
> >
> >
> >
> >>I agree, and I strongly recommend against the use of JEP-0025 as-is
> >>for any remotely sensitive purposes.
> >>
> >>We have been aware of the security problems for two months and have
> >>proposed multiple viable solutions, but nothing has been fixed. This
> >>JEP either needs to be fixed or withdrawn.
> >>
> >>
> >
> >*disclaimer: I am employed by Jabber, Inc* :)
> >
> >JEP-25 is INFORMATIONAL! It won't be withdrawn as it's not standards
track.
> >The whole idea behind informational JEPS is that they allow companies
(like
> >Jabber, Inc.) to document the protocol extensions that they build, so
other
> >people in the jabber community can use and build other products to them
(if
> >they so desire). It's unlikely that this JEP will change since it
reflects
> >a
> >currently deployed product (good bad or ugly :).
> >
> >Someone needs to take JEP-25 as a base, and create a new STANDARDS track
> >JEP
> >that fixes the security holes in the current implementation and submit
it.
> >Then client authors (like myself) can choose to implement either JEP-25,
> >the
> >new standards JEP, or both.
> >
> >Hope this makes sense.
> >
> >Peter M.
> >
> >_______________________________________________
> >jdev mailing list
> >jdev at jabber.org
> >http://mailman.jabber.org/listinfo/jdev
> >
> >
> >
> >
> >
> >_______________________________________________
> >jdev mailing list
> >jdev at jabber.org
> >http://mailman.jabber.org/listinfo/jdev
> >
> >
>
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>
>

More information about the JDev mailing list