[xmpp] Comments on draft-alkemade-xmpp-iq-validation-00

"Joe Hildebrand (jhildebr)" <jhildebr@cisco.com> Sat, 08 March 2014 11:11 UTC

Return-Path: <jhildebr@cisco.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1BD051A012A for <xmpp@ietfa.amsl.com>; Sat, 8 Mar 2014 03:11:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.048
X-Spam-Status: No, score=-10.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 00hp-UmFWlvz for <xmpp@ietfa.amsl.com>; Sat, 8 Mar 2014 03:11:25 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com []) by ietfa.amsl.com (Postfix) with ESMTP id 8239E1A00E8 for <xmpp@ietf.org>; Sat, 8 Mar 2014 03:11:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=943; q=dns/txt; s=iport; t=1394277081; x=1395486681; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=3+eLQRkimcGsPWZyMbbT0VTDo7QsMpzoEu7HGwNoTr0=; b=avGkk7BTumfiRPmIyrOQfcezkD7YKbyUmZAMO9LEuNyJy+b3j+lqNYFS 27fM4xZj9KmNmKo3aIimnOANc6iVFaPDS1SW0KIomnJwEShwO8Wk9rUAe RDN++ILjDpf/63qZ/iZweSXG5HRX8H+8gx2ooFIo9pNN9xLMRsMIQ2t+W 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgcFAAT6GlOtJV2d/2dsb2JhbABagwaBEsJBFnSCLDpRAT5CJwSIDJ8UsF4XkxoElFmDbJIrgy2BayQc
X-IronPort-AV: E=Sophos;i="4.97,613,1389744000"; d="scan'208";a="25909189"
Received: from rcdn-core-6.cisco.com ([]) by alln-iport-4.cisco.com with ESMTP; 08 Mar 2014 11:11:20 +0000
Received: from xhc-aln-x04.cisco.com (xhc-aln-x04.cisco.com []) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id s28BBKub006872 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <xmpp@ietf.org>; Sat, 8 Mar 2014 11:11:20 GMT
Received: from xmb-rcd-x10.cisco.com ([]) by xhc-aln-x04.cisco.com ([]) with mapi id 14.03.0123.003; Sat, 8 Mar 2014 05:11:20 -0600
From: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
To: "xmpp@ietf.org" <xmpp@ietf.org>
Thread-Topic: Comments on draft-alkemade-xmpp-iq-validation-00
Thread-Index: AQHPOr8iCz6rRPnJ+kyy0gTn725IaA==
Date: Sat, 8 Mar 2014 11:11:20 +0000
Message-ID: <CF4096A9.3D005%jhildebr@cisco.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2513D56E93E0D846848FFF3EC3598701@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/xmpp/BiAVk6XDFRIJG0yDc_Il8Gt0QvI
Subject: [xmpp] Comments on draft-alkemade-xmpp-iq-validation-00
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 11:11:31 -0000

(no hats)

Section 1: suggest s/it was found//

Before Section 4: suggest adding some examples in a new section.  Good
iq/response, spoofed response with different from (perhaps followed by
real response to make it clear), unexpected 'from' from the server

Section 4: suggest switching the order of 4.1 and 4.2.  current section
4.1 is an edge case, leading with the core mechanism is more understandible

Section 4.1: quote 6120 and 3920 directly if possible.

Section 4.2: we had lots of discussion over "unique".  We'll likely want
some flavor of that discussion in the final text.  For the MUST ignore
text, can the client log an error or notify the user?

Section 6: we'll likely want some security analysis here.

May a server perform this tracking too, and reject things that look like

This doc is a good start.  I think we should adopt it into the working
group immediately.

Joe Hildebrand