mirror of
https://github.com/moparisthebest/xeps
synced 2024-12-21 07:08:51 -05:00
XEP-0383: Improve Security Considerations
This commit is contained in:
parent
4ba979c91f
commit
7a4bd56087
29
xep-0383.xml
29
xep-0383.xml
@ -24,6 +24,12 @@
|
||||
<supersededby/>
|
||||
<shortname>burner</shortname>
|
||||
&sam;
|
||||
<revision>
|
||||
<version>0.1.1</version>
|
||||
<date>2017-01-28</date>
|
||||
<initials>ssw</initials>
|
||||
<remark><p>Improve security considerations.</p></remark>
|
||||
</revision>
|
||||
<revision>
|
||||
<version>0.1</version>
|
||||
<date>2016-12-07</date>
|
||||
@ -176,18 +182,21 @@
|
||||
</section1>
|
||||
<section1 topic='Security Considerations' anchor='security'>
|
||||
<p>
|
||||
To prevent burner JIDs from being abused for spamming, implementations
|
||||
SHOULD rate limit all burner JIDs in use by an authentication identity as a
|
||||
single unit.
|
||||
To prevent burner JIDs from being abused for spamming, implementations MAY
|
||||
rate limit all burner JIDs in use by an authn identity as a single unit.
|
||||
However, be advised that this may provide a third party that can monitor
|
||||
traffic patterns with the ability to determine what burner JIDs belong to
|
||||
the same user.
|
||||
To prevent a burner JIDs authn identity from being discovered the same way,
|
||||
burner JIDs SHOULD NOT share a rate limit with their authn identity.
|
||||
</p>
|
||||
<p>
|
||||
If TLS channel binding information is encoded in the burner JID it is
|
||||
RECOMMENDED that the tls-unique channel binding value be used as defined by
|
||||
&rfc5929; §3.
|
||||
However, for resumed sessions the JIDs SHOULD be considered invalid unless
|
||||
the master-secret fix from &rfc7627; has been implemented because otherwise
|
||||
resumption does not include enough context to successfully verify the
|
||||
binding.
|
||||
If TLS channel binding information is encoded in the local part of the
|
||||
burner JID it is RECOMMENDED that the tls-unique channel binding value be
|
||||
used as defined by &rfc5929; §3.
|
||||
Note that unless the master-secret fix from &rfc7627; has been implemented
|
||||
channel binding information does not include enough context to successfully
|
||||
verify the binding when resuming a TLS session.
|
||||
</p>
|
||||
<p>
|
||||
Implementations that choose to encode information in the localpart of burner
|
||||
|
Loading…
Reference in New Issue
Block a user