moparisthebest
/
xeps
mirror of https://github.com/moparisthebest/xeps
1
0
Fork 0
Code Issues Releases Wiki Activity

XEP-0383: Improve Security Considerations

hacx
Sam Whited 2017-01-06 10:29:46 -06:00
parent 4ba979c91f
commit 7a4bd56087
1 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
xep-0383.xml
View File

@ -24,6 +24,12 @@
<supersededby/>
<shortname>burner</shortname>
&sam;
<revision>
<version>0.1.1</version>
<date>2017-01-28</date>
<initials>ssw</initials>
<remark><p>Improve security considerations.</p></remark>
</revision>
<revision>
<version>0.1</version>
<date>2016-12-07</date>
@ -176,18 +182,21 @@
</section1>
<section1 topic='Security Considerations' anchor='security'>
<p>
To prevent burner JIDs from being abused for spamming, implementations
SHOULD rate limit all burner JIDs in use by an authentication identity as a
single unit.
To prevent burner JIDs from being abused for spamming, implementations MAY
rate limit all burner JIDs in use by an authn identity as a single unit.
However, be advised that this may provide a third party that can monitor
traffic patterns with the ability to determine what burner JIDs belong to
the same user.
To prevent a burner JIDs authn identity from being discovered the same way,
burner JIDs SHOULD NOT share a rate limit with their authn identity.
</p>
<p>
If TLS channel binding information is encoded in the burner JID it is
RECOMMENDED that the tls-unique channel binding value be used as defined by
&rfc5929; &sect;3.
However, for resumed sessions the JIDs SHOULD be considered invalid unless
the master-secret fix from &rfc7627; has been implemented because otherwise
resumption does not include enough context to successfully verify the
binding.
If TLS channel binding information is encoded in the local part of the
burner JID it is RECOMMENDED that the tls-unique channel binding value be
used as defined by &rfc5929; &sect;3.
Note that unless the master-secret fix from &rfc7627; has been implemented
channel binding information does not include enough context to successfully
verify the binding when resuming a TLS session.
</p>
<p>
Implementations that choose to encode information in the localpart of burner