added security consideration about forging /psa

git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@3400 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Unknown User 2009-09-09 19:39:56 +00:00
parent e4c2bbec3b
commit ab81bae3db
1 changed files with 10 additions and 0 deletions

View File

@ -27,6 +27,12 @@
<url>http://www.xmpp.org/schemas/delay.xsd</url>
</schemaloc>
&stpeter;
<revision>
<version>1.1rc1</version>
<date>in progress, last updated 2009-09-09</date>
<initials>psa</initials>
<remark><p>Addressed security concern about forged timestamps provided during Call for Experience.</p></remark>
</revision>
<revision>
<version>1.0</version>
<date>2007-03-29</date>
@ -139,6 +145,7 @@
</section1>
<section1 topic='Security Considerations' anchor='security'>
<p>Delayed delivery data can expose information about the sender's presence on the network at some time in the past. However, this introduces no new vulnerabilities, since the same information would have been available in real time.</p>
<p>Absent cryptographic signing of stanzas and parts of stanzas, it is possible for delayed delivery notations to be forged. For example, the originator of a message (or the originator's server) could include a notation that makes it appear as if delivery of the message was delayed by the recipient's server. The same is true of delayed delivery notations putatively added by a Multi-User Chat room, which could be forged by the message originator, the originator's server, the recipient's server, or the server that hosts the chatroom service. Although the recipient's server SHOULD discard a delayed delivery notation whose 'from' attribute matches the server's JabberID (or return a &notacceptable; error to the originator), this policy does not guard against forging of notations putatively from other entities (such as a chatroom hosted at a different trust domain). Therefore, a recipient SHOULD NOT rely on delayed delivery notations to provide a completely accurate representation of the delivery path or timing of a stanza it has received.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
<p>This document requires no interaction with &IANA;.</p>
@ -179,4 +186,7 @@
</xs:schema>
]]></code>
</section1>
<section1 topic='Acknowledgements' anchor='ack'>
<p>Thanks to Sergei Golovan for his feedback regarding forged timestamps.</p>
</section1>
</xep>