<remark><p>Per a vote of the XMPP Council, advanced specification from Experimental to Draft; simultaneously the XMPP Registrar issued a namespace of "urn:xmpp:pie:0".</p></remark>
<remark><p>Modified to include feedback received during the initial Last Call. Added sections for privacy lists and incoming subscriptions, as well as text on XInclude security.</p></remark>
<remark><p>Initial published version.</p></remark>
</revision>
<revision>
<version>0.0.1</version>
<date>2007-07-27</date>
<initials>mh</initials>
<remark><p>Initial version.</p></remark>
</revision>
</header>
<section1topic='Introduction'anchor='intro'>
<p>Different implementations of XMPP-IM servers store user data in various ways, and many implementations have more than one storage format. This leads to problems when a server administrator wants to switch to another implementation or storage format -- the implementation is as likely as not to have an import mechanism that can read the user data in its current form. This document attempts to solve that problem by defining a common file format for import and export of user data in XMPP-IM servers.</p>
</section1>
<section1topic='Requirements'anchor='reqs'>
<p>The following constraints are imposed on this standard:</p>
<ul>
<li>
<p>The file format is XML-based.</p>
<p>XMPP-IM servers already have tools to process XML data. This also allows extension of the format using namespaces. Furthermore, some of the data that needs to be stored is by definition already in XML form.</p>
<p>All user data is stored, but no server configuration data.</p>
<p>User data has similar form throughout the XMPP world, but server configuration is implementation-specific. Therefore this specification does not attempt to transfer any aspects of the server configuration from one server to another.</p>
<p>Furthermore, the contents of MUC, Pubsub and other services are out of scope for this specification.</p>
</li>
<li>
<p>Multiple virtual hosts are supported.</p>
<p>Many server implementations can serve several hostnames in a single server instance. Thus this specification allows storing data from several virtual hosts.</p>
<p>At any point in the file, an exporting server may put elements qualified by a namespace not mentioned in this specification. The exported data SHOULD be meaningful without the extensions. An importing server that encounters a namespace that it doesn't understand, or otherwise is unable to import all given data, SHOULD ignore the unknown data, SHOULD notify the operator, and MAY offer to terminate the process.</p>
<p>The child elements of the <server-data/> elements are <host/> elements. Each <host/> element describes a virtual host, and has a 'jid' attribute that contains its JID.</p>
<p>An importing server MAY automatically adjust its list of virtual hosts to fit the ones present in the data being imported. If it does not, it SHOULD notify the operator about any mismatch.</p>
<p>Each user is represented by a <user/> element under the <host/> element. The <user/> element MUST have a 'name' attribute, which contains the node part of the user's JID.</p>
<p>If the plaintext password of the user is known, it MAY be included in the 'password' attribute, although this is not recommended from a security perspective. For more information see <linkurl='#security'>Security Considerations</link>. See also the SCRAM credentials section for an alternative.</p>
<p>Authentication secrets may be included that allow for authentication using the SCRAM family of mechanisms, as defined in &rfc5802;.</p>
<p>Each set of credentials should be encapsulated within a <scram-credentials/> element in the 'urn:xmpp:pie:0#scram' namespace, and contained within the relevant <user/> element. The element should have a 'mechanism' attribute specifying the registered name of the mechanism that the credentials are used for (always without the "-PLUS" suffix), e.g. 'SCRAM-SHA-1'. The element MUST contain a single occurrence of each of the following child elements:</p>
<ul>
<li><iter-count/>: containing the SCRAM iteration count, e.g. '10000'. This must be a positive integer without leading zeros.</li>
<li><salt/>: containing the base64-encoded salt.</li>
<li><server-key/>: containing the base64-encoded ServerKey defined by SCRAM.</li>
<li><stored-key/>: containing the base64-encoded StoredKey defined by SCRAM.</li>
</ul>
<p>There may be multiple occurrences of <scram-credentials/> for a single user, however they MUST all have a unique 'mechanism' attribute.</p>
<examplecaption='Including a user's SCRAM credentials'><![CDATA[
<p>Be aware of the <linkurl='#security'>Security Considerations</link> when including credentials in a data export. Even though SCRAM credentials are stored in a hashed form, leaking them still allows an attacker to impersonate the user to other servers employing the same SCRAM parameters, and it also allows for offline dictionary or brute-force attacks.</p>
<p>Each <user/> element SHOULD contain the user's roster in the form of a <query/> element qualified by the 'jabber:iq:roster' namespace. This element contains the user's roster in the same format as when retrieving the roster from the server, as described in section 7.3 of &xmppim;.</p>
<p>If the exporting server stores messages received while the user was offline, it SHOULD include an <offline-messages/> element as a child of the <user/> element. This element contains all the stored messages to the user, if any, as <message/> elements qualified by the 'jabber:client' namespace, starting with the oldest.</p>
<section2topic='Private XML Storage'anchor='privatexmlstorage'>
<p>Private data stored by the server as specified in &xep0049; is represented in this format by including a <query/> element qualified by the 'jabber:iq:private' namespace as a child of the <user/> element. This <query/> element in turn contains all elements saved in private XML storage.</p>
<p>By &xep0054;, users can store vCards on the server. In this specification, vCards are child elements of the <user/> element, namely a <vCard/> element qualified by the 'vcard-temp' namespace.</p>
<p>Privacy lists, as specified in &xep0016;, are represented in this format by including a <query/> element qualified by the 'jabber:iq:privacy' namespace as a child of the <user/> element. This element should contain all privacy lists associated with the user. A default privacy list, if set, is specified by including a <default/> element as a child of the <query/> element.</p>
<p>Each <user/> element SHOULD contain pending incoming subscription requests associated with the user's account. Incoming subscription requests are represented by including <presence/> elements qualified by the 'jabber:client' namespace with the 'type' attribute set to a value of 'subscribe' as children of the <user/> element.</p>
<p>A user's PEP data (as defined in &xep0163;) SHOULD be included if known.</p>
<p>Node configuration and the actual node data are encapsulated separately, as described below. A typical export that contains both node configuration and the actual data contained within the node, will include two <pubsub/> elements (qualified by different namespaces).</p>
<p>Many server implementations include support for additional pubsub features from &xep0060; beyond those required by XEP-0163. This specification aims to preserve this additional data also, when it is present and supported by both servers.</p>
<p>Within the <user/> element there should be a single <pubsub/> element qualified by the 'http://jabber.org/protocol/pubsub#owner' namespace (note the '#owner' suffix). Within this element, there MUST be one <configure/> element for each exported node, with the node's name in the 'node' attribute. There MAY be additional elements included, at most one per node of each kind: <subscriptions/> and <affiliations>, following the syntax defined in XEP-0060.</p>
<p>The format of the <configure/> is a &xep0004; data form, typically containing the fields documented in XEP-0060, encoding the configuration of the named node.</p>
<p>As a general rule, importers SHOULD ignore node configuration options that the target server implementation doesn't recognise, to allow porting data between different implementations even in the presence of custom extensions. Exceptions to this requirement may be made for imports that are expected to be lossless, for example if the user has specifically requested a lossless import, or if the importer recognises certain configuration fields as critical to protect the node's security or integrity.</p>
<p>Within the <user/> element there should be a single <pubsub/> element qualified by the 'http://jabber.org/protocol/pubsub' namespace (note the lack of any suffix). Within this element, there MUST be one <items/> element for each exported node, with the node's name in the 'node' attribute.</p>
<p>Any node listed in this element MUST have a corresponding configuration included as described in the previous section.</p>
<p>Each <items> element MUST contain zero or more <item/> elements as defined by XEP-0060.</p>
</section3>
<p>This example demonstrates an export for a user who has two nodes: a private bookmarks node with two bookmarks, and a public nickname node containing a single item.</p>
<examplecaption='Romeo's exported PEP data'><![CDATA[
<p>A user's &xep0313; message archive MAY be included in an export. If included, they MUST be formatted as a series of XEP-0313 <result/> elements within an <archive/> element qualified by the 'urn:xmpp:pie:0#mam' namespace. The result elements MUST be in chronological order (from oldest to newest).</p>
<p>An exporting server may split the data in several files by using the XInclude <include/> element. An importing server MUST support <include/> elements having an 'href' attribute containing a relative URI, having no 'parse' attribute, and having no 'xpointer' attribute; it MAY support other kinds of <include/> elements. An exporting server SHOULD NOT include and an importing server SHOULD NOT process <include/> elements which are descendants, but not children of the <user/> element (since these may be part of user data).</p>
<p>The main file contains the <server-data/> element, which contains nothing but one <include/> element for each host. The file included for a certain host is placed in the same directory as the main file, and is named by appending ".xml" to the JID of the host, e.g. "capulet.com.xml".</p>
<p>Each host file contains a <host/> element, which contains nothing but one <include/> element for each user of the host. The file included for a certain user is placed in a subdirectory whose name is the JID of the host, and is named by appending ".xml" to the node part of the user's JID, e.g. "capulet.com/juliet.xml".</p>
<p>The definition of JIDs ensures that this generates valid file names on traditional Unix-like file systems, except for possible length constraints. However, various constraints may force an exporting server to alter this scheme. In any case, the importing server MUST NOT rely on this layout, but MUST do proper XInclude processing.</p>
<p>Exported data files are to be handled with care, since they contain data that users expect to be protected, in particular passwords. An exporting server SHOULD make sure that the generated file is not accessible to unauthorized persons, e.g. by enforcing strict file permissions. It may also apply suitable encryption before storing or transmitting the data.</p>
<p>XInclude <include/> elements which are indirect descendants of the <user/> element SHOULD be treated as opaque user data, and SHOULD NOT be processed.</p>