<remark><p>Initial version, split off from XEP-0136 per XMPP Council consensus.</p></remark>
</revision>
</header>
<section1topic='Introduction'anchor='intro'>
<p>&xep0136; defines a technology for archiving messages at an XMPP server instead of locally on a client device. This specification defines methods for encrypting such messages.</p>
</section1>
<section1topic='Encryption of Manually-Archived Collections'anchor='manual'>
<p>Clients SHOULD encrypt manually-archived collections (although early implementations of this protocol MAY prefer to defer encryption and decryption to later releases). Servers MUST support the manual-archiving of encrypted collections.</p>
<p>Before uploading a sequence of messages to a collection, the client SHOULD select a symmetric data encryption algorithm, generate a suitable random encryption key, give the key a unique (for the user) name, encrypt the symmetric key with one of the user's public keys, and wrap the result inside one or more <EncryptedKey/> elements, as specified in &w3xmlenc;.</p>
<p>To ensure that all its user's clients will be able to decrypt the collection, the client SHOULD create one <EncryptedKey/> element for each of its user's public keys that are being published using &xep0189;. However, the client MUST NOT create an <EncryptedKey/> element for any public key until it has confirmed that it belongs to the user. Note: The fact that a public key is being published using <cite>XEP-0189</cite> is <em>not</em> sufficient proof of ownership, since the user's server may have been compromised at some stage. The method of confirmation is beyond the scope of this document.</p>
<p>The client SHOULD use the symmetric key to encrypt the joined sequence of <to/>, <from/> and <note/> elements, base64 encode the resulting sequence of bytes, and wrap it inside an <EncryptedData/> element, as described in <cite>XML Encryption</cite>.</p>
<p>Clients may add one or more <EncryptedData/> or <EncryptedKey/> elements to a collection using exactly the same method as for <to/>, <from/> and <note/> elements (see <linkurl='#manual-upload'>Uploading Messages to a Collection</link>). One collection may contain <EncryptedData/> elements encrypted with different symmetric keys.</p>
<p>When appending <EncryptedData/> elements to a collection, the client MAY reuse a symmetric Key that has already been uploaded to the collection. In this case the client SHOULD NOT resend <EncryptedKey/> elements.</p>
<p>Note: A collection that contains <EncryptedData/> or <EncryptedKey/> elements MUST NOT contain <to/> or <from/> or <note/> elements.</p>
<examplecaption='Storing encrypted messages and keys in a collection'><![CDATA[
<p>The <CipherData/> child of each <EncryptedData/> element contains the base64-encoded symmetric-encrypted messages. The <EncryptionMethod/> and <KeyInfo/> children specify the symmetric encryption algorithm and the name of the symmetric key used to encrypt the messages.</p>
<p>The <CarriedKeyName/> child of each <EncryptedKey/> element contains the name of the symmetric key it contains. The name is referenced by the <KeyName/> child of the <KeyInfo/> child of an <EncryptedData/> element. The <CipherData/> child of each <EncryptedKey/> element contains the base64-encoded public-key-encrypted symmetric key. The <EncryptionMethod/> and <KeyInfo/> children specify the public key encryption algorithm and the name of the public key used to encrypt the symmetric key. The name of the public key MAY refer to the name in the <KeyName/> child of one of the <KeyInfo/> elements that are being published using <cite>XEP-0189</cite>.</p>
<examplecaption='Private chat with encrypted attributes form'><![CDATA[
<p>The x:data form MAY be removed from a collection simply by uploading an empty form. Note: The server SHOULD NOT return an error if it finds that the form to be deleted does not exist.</p>
<examplecaption='Deleting the attributes form'><![CDATA[
<section1topic='Enabling Auto-Archiving with Encryption'anchor='auto'>
<p>The client can enable auto-archiving with server-side encryption by setting the 'save' attribute to "true" or "1" and setting the 'encrypt' attribute to "true" or "1".</p>
<examplecaption='Client enables auto archiving with encryption'><![CDATA[
<p>If the server supports encryption but there is no public key available for the user (e.g., as published via &xep0189;, the server MUST return a ¬acceptable; error.</p>
<examplecaption='No Public Key Available'><![CDATA[
<p>If the server supports encryption (see <linkurl='#disco'>Determining Server Support</link>), it MUST encrypt all the messages that it archives automatically (including any message collections that are currently being recorded) by following exactly the same procedure as clients use when manually archiving collections (see <linkurl='#crypt'>Encryption</link>).</p>
<p>The client MAY also specify one or more public keys (in addition to any public keys that the user may be publishing using <cite>XEP-0189</cite>). The server MUST use them all to encrypt all the symmetric keys it generates and add these to the collection wrapped in <EncryptedKey/> elements.</p>
<examplecaption='Client enables auto archiving with encryption'><![CDATA[
<p>As soon as the server has finished archiving a collection, it MUST securely destroy all copies of the symmetric key it used to encrypt the messages. Note: If the security of the server is compromised, then only the collections being recorded during the attack will be revealed (i.e. only those messages that would have been compromised even if they had not been archived).</p>
</section1>
<section1topic='Retrieving a List of Encrypted Collections'anchor='collection'>
<p>If a collection contains <EncryptedData/> or <EncryptedKey/> elements then the 'crypt' attribute of the <chat/> element MUST be set to 'true':</p>
<examplecaption='Receiving the first page of a list'><![CDATA[
<section1topic='Retrieving an Encrypted Collection'anchor='retrieve'>
<p>The items in encrypted collections are typically larger than the items in an unencrypted collection, since each <EncryptedData/> element typically contains many messages. So the client SHOULD take even more care not to request a page of <EncryptedData/> elements that is so big it might exceed rate limiting restrictions.</p>
<examplecaption='Requesting the first page of an encrypted collection with all versions of keys'><![CDATA[
<p>In addition to the requested <EncryptedData/> elements, the server MUST return all the <EncryptedKey/> elements that it possesses for the user whose symmetric key name (wrapped in its <CarriedKeyName/> child) is referenced by the <KeyName/> child of the <KeyInfo/> child of any of the <EncryptedData/> elements in the returned page.</p>
<examplecaption='Receiving the first page of an encrypted collection'><![CDATA[
<p>The client MAY limit the number of <EncryptedKey/> elements that it receives by specifying the name of one or more public keys for which it holds the associated private keys. The name of each public key MUST be wrapped in a <KeyName/> element.</p>
<examplecaption='Requesting the first page of an encrypted collection with specified version of keys'><![CDATA[
<p>If the request includes one or more <KeyName/> elements then the server MUST only return those <EncryptedKey/> elements whose public key name (wrapped in the <KeyName/> child of the <KeyInfo/> child) is specified in the request.</p>
<p>If a private key becomes obsolete or compromised then it may be necessary for a client to replace all <EncryptedKey/> elements that contain symmetric keys encrypted with the public key that is associated with the obsolete private key.</p>
<p>The client first requests a list of the affected <EncryptedKey/> elements from all collections by sending a <keys/> element to the server:</p>
<examplecaption='Requesting the first page of a list of keys'><![CDATA[
<p>The server MUST return only <EncryptedKey/> elements whose symmetric encryption key is encrypted with the obsolete public key specified in the <KeyName/> child of the request:</p>
<examplecaption='Receiving the first page of a list of keys'><![CDATA[
<p>The client decrypts each symmetric key with the obsolete private key and encrypts it again with the new public key. The client then wraps each symmetric key in an <EncryptedKey/> element and asks the server to archive it in its associated collection on the server (see <linkurl='#crypt'>Encryption</link>):</p>
<examplecaption='Storing encrypted keys in a collection'><![CDATA[
<p>Finally, the client asks the server to delete from each collection all <EncryptedKey/> elements whose symmetric encryption key is encrypted with the obsolete public key:</p>
<examplecaption='Deleting key(s) from a collection'><![CDATA[
<p>If the server supports the <em>service-side</em> encryption feature, it MUST return a <feature/> element with the 'var' attribute set to 'urn:xmpp:tmp:archive:encrypt' &NSNOTE;.</p>
<examplecaption='Server Service Discovery response'>
<p>Because the subject of each collection will not be encrypted even if its messages are encrypted, the client MUST warn its human user (if any) before including 'subject' attributes on encrypted collections.</p>
<p>The XMPP Registrar shall include the following features in its registry of service discovery features (see &DISCOFEATURES;), where the string "urn:xmpp:tmp:archive" shall be replaced with the URN issued by the XMPP Registrar:</p>
<ul>
<li>urn:xmpp:tmp:archive:encrypt</li>
</ul>
</section2>
</section1>
<section1topic='XML Schema'anchor='schema'>
<p>If this specification is advanced to a status of Draft, the schema for the 'urn:xmpp:tmp:archive' namespace &NSNOTE; shall be updated to add a boolean 'encrypt' attribute to the <auto/> element, as follows.</p>