[JDEV] Discussion of transports?
Andrew Sayers
andrew-list-jabber-jdev at ccl.bham.ac.uk
Sun Sep 28 11:59:50 CDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, Sep 24, 2003 at 04:04:37 -0600, Joe Hildebrand wrote:
>
> Even if you allowed transports to do this, there should probably be an
> access-control check. I can't think of a good (secure) way to do that such
> that I can be a user on server A, and access a transport running on server
> B.
What insecurities are you thinking of? If you can't trust the path
between your client and your transport, you have bigger problems than
roster pushes.
> Aside from the S2S thing, you could get there with today's servers by having
> the transport start a session on behalf of the user, retrieve the roster,
> and then do roster sets/presence subscribes. The roster pushes would then
> happen automatically to other sessions.
Well, this can only be done *properly* by modifying servers or clients.
It seems to me that modifying the server is preferable because there are
less server implementations to modify, because Jabber clients are
generally expected to be quite thin, and because Jabber servers are
already involved in pushing roster items.
- Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: The following is method of proving my identity. For more information, see http://www.gnupg.org. E-mail {andrew-go-away at ccl.bham.ac.uk} if you don't want this.
iD8DBQE/dxOCUjUCivGf+MsRAvudAJ9VcUGizDAVMMAKViL87jufqZG+qQCfQUON
eQkzqrCYgbrzOeI7LeGhF0w=
=O4qM
-----END PGP SIGNATURE-----
More information about the JDev
mailing list