1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-12-21 23:28:51 -05:00
git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@1188 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Peter Saint-Andre 2007-08-28 18:21:04 +00:00
parent f4c5b40389
commit c26b4f2449

View File

@ -28,10 +28,10 @@
&stpeter;
&remko;
<revision>
<version>1.5pre2</version>
<date>2007-08-27</date>
<version>1.5pre3</version>
<date>2007-08-28</date>
<initials>jjh/psa</initials>
<remark><p>To avoid confusion, renamed the hash attribute to the algo attribute; required inclusion of the algo attribute in non-legacy mode; to help prevent a race condition, specified that the disco#info request is sent to node#ver; clarified handling of the legacy format to assist developers.</p></remark>
<remark><p>To avoid confusion, renamed the hash attribute to the algo attribute; required inclusion of the algo attribute in non-legacy mode; removed schema default for algo attribute; to help prevent a race condition and to ensure backward compatibility, specified that the disco#info request is sent to node#ver; further specified security considerations; clarified handling of the legacy format to assist developers.</p></remark>
</revision>
<revision>
<version>1.4</version>
@ -150,7 +150,7 @@
to='juliet@capulet.lit/chamber'
type='result'>
<query xmlns='http://jabber.org/protocol/disco#info'>
<identity category='client' type='pc'/>
<identity category='client' name='Exodus 0.9.1' type='pc'/>
<feature var='http://jabber.org/protocol/disco#info'/>
<feature var='http://jabber.org/protocol/disco#items'/>
<feature var='http://jabber.org/protocol/muc'/>
@ -224,7 +224,7 @@
</tr>
<tr>
<td>algo</td>
<td>The hashing algorithm used in generated the 'ver' attribute (see &ianahashes;); the value defaults to "sha-1".</td>
<td>The hashing algorithm used in generated the 'ver' attribute (see &ianahashes;). The value SHOULD be "sha-1".</td>
<td>REQUIRED</td>
</tr>
<tr>
@ -375,6 +375,7 @@
<p>Use of the protocol specified in this document might make some client-specific forms of attack slightly easier, since the attacker could more easily determine the type of client being used. However, since most clients respond to Service Discovery and Software Version requests without performing access control checks, there is no new vulnerability. Entities that wish to restrict access to capabilities information SHOULD use &xep0016; to define appropriate communications blocking (e.g., an entity MAY choose to allow IQ requests only from "trusted" entities, such as those with whom it has a subscription of "both").</p>
<p>Adherence to the algorithm defined in the <link url='#ver'>Generation of ver Attribute</link> section of this document for both generation and checking of the 'ver' attribute helps to guard against poisoning of entity capabilities information by malicious or improperly implemented entities.</p>
<p>If the value of the 'ver' attribute is a hash as defined herein (i.e., if the 'ver' attribute is not generated according to the legacy format), inclusion of the 'algo' attribute is required. Knowing explicitly that the value of the 'ver' attribute is a hash enables the recipient to avoid spurious notification of invalid hashes.</p>
<p>The 'name' attribute of the service discovery &lt;identity/&gt; element is not included in the hash generation method. The primary reason for excluding it is that it is human-readable text and therefore may be provided in different localized versions. As a result, its inclusion would needlessly multiply the number of possible hash values and thus the time and resources required to validate values of the 'ver' attribute.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
@ -408,7 +409,7 @@
<xs:complexType>
<xs:simpleContent>
<xs:extension base='empty'>
<xs:attribute name='algo' type='xs:NMTOKEN' use='required' default='sha-1'/>
<xs:attribute name='algo' type='xs:NMTOKEN' use='required'/>
<xs:attribute name='ext' type='xs:NMTOKENS' use='optional'/>
<xs:attribute name='node' type='xs:string' use='required'/>
<xs:attribute name='ver' type='xs:string' use='required'/>