moparisthebest
/
xeps
mirror of https://github.com/moparisthebest/xeps
1
0
Fork 0
Code Issues Releases Wiki Activity

XEP-0383: Improve Security Considerations

This commit is contained in:
Sam Whited 2017-01-06 10:29:46 -06:00
parent 4ba979c91f
commit 7a4bd56087
1 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
xep-0383.xml
View File

@ -24,6 +24,12 @@
<supersededby/> <supersededby/>
<shortname>burner</shortname> <shortname>burner</shortname>
&sam; &sam;
<revision>
<version>0.1.1</version>
<date>2017-01-28</date>
<initials>ssw</initials>
<remark><p>Improve security considerations.</p></remark>
</revision>
<revision> <revision>
<version>0.1</version> <version>0.1</version>
<date>2016-12-07</date> <date>2016-12-07</date>
@ -176,18 +182,21 @@
</section1> </section1>
<section1 topic='Security Considerations' anchor='security'> <section1 topic='Security Considerations' anchor='security'>
<p> <p>
To prevent burner JIDs from being abused for spamming, implementations To prevent burner JIDs from being abused for spamming, implementations MAY
SHOULD rate limit all burner JIDs in use by an authentication identity as a rate limit all burner JIDs in use by an authn identity as a single unit.
single unit. However, be advised that this may provide a third party that can monitor
traffic patterns with the ability to determine what burner JIDs belong to
the same user.
To prevent a burner JIDs authn identity from being discovered the same way,
burner JIDs SHOULD NOT share a rate limit with their authn identity.
</p> </p>
<p> <p>
If TLS channel binding information is encoded in the burner JID it is If TLS channel binding information is encoded in the local part of the
RECOMMENDED that the tls-unique channel binding value be used as defined by burner JID it is RECOMMENDED that the tls-unique channel binding value be
&rfc5929; &sect;3. used as defined by &rfc5929; &sect;3.
However, for resumed sessions the JIDs SHOULD be considered invalid unless Note that unless the master-secret fix from &rfc7627; has been implemented
the master-secret fix from &rfc7627; has been implemented because otherwise channel binding information does not include enough context to successfully
resumption does not include enough context to successfully verify the verify the binding when resuming a TLS session.
binding.
</p> </p>
<p> <p>
Implementations that choose to encode information in the localpart of burner Implementations that choose to encode information in the localpart of burner