<abstract>In order to keep all IM clients for a user engaged in a conversation, outbound messages are carbon-copied to all interested resources.</abstract>
<remark><p>Required the wrapping message to use the carbon user's bare JID; added to the security concerns about rejecting carbon copies not from the carbon user's bare JID.</p></remark>
<remark><p>Changed enabling and disabling to use separate elements rather than attributes; ensured all elements in the examples have their namespaces more explicitly defined; used message forwarding for carbon copies.</p></remark>
<p>At the time of original writing of this XEP, many XMPP servers handle message stanzas sent to a user@host (or "bare") JID with no resource by delivering that message only to the resource with the highest priority for the target user. Some server implementations, however, have chosen to send these messages to all of the online resources for the target user. If the target user is online with multiple resources when the original message is sent, a conversation ensues on one of the user's devices; if the user subsequently
switches devices, parts of the conversation may end up on the alternate device, causing the user to be confused, misled, or annoyed.</p>
<p>This XEP defines an approach for ensuring that all of my devices get both sides of all conversations in order to avoid user confusion. As a pleasant side-effect, information about the current state of a conversation is shared between all of a user's clients that implement this protocol.</p>
<p>If a server implements the Message Carbons capability, it MUST specify the "urn:xmpp:carbons:1" feature in its service discovery information features as specified in &xep0030; or section 6.3 of &xep0115;. Clients SHOULD NOT attempt to enable or disable Carbons if their server does not support this feature.</p>
<p>Servers MUST NOT enable the Carbons protocol for a client by default, since unmodified clients might be confused by the new protocol. When a client wants to participate in the Carbons protocol, it sends an IQ set to enable the protocol.</p>
<p>Carbons will generally be enabled before the client sends the first undirected presence, to ensure that all inbound messages will be delivered according to the Carbon rules. The server will respond with an IQ result when Carbons are enabled:</p>
<p>Some clients might want to disable Carbons. An example of this might be a mobile client that wants Carbons when the application is in the foreground, and disabled when it is in the background. To disable Carbons, clients send an IQ set:</p>
<p>Enabling or disabling Carbons may fail in the several ways. If one of these errors is returned, the server MUST keep the previous state, where the initial state is Carbons disabled. For example, if the first enable returns an error, the server MUST NOT enable Carbons.</p>
<p>The sender has sent a stanza containing XML that does not conform to the appropriate schema or that cannot be processed. One example is an IQ stanza that includes an unrecognized value of the 'type' attribute. Another is changing to the state that is already in effect (enabling Carbons a second time).</p>
<p>Messages of type chat that are addressed to the bare JID (localpart@domain) MUST be delivered according to RFC 6121 § 8.5.2, and MUST be copied by the receiving server to all of the resources for that user that are carbons-enabled. The process of making copies is known as "forking."</p>
<p>A carbons-enabled resource MUST NOT receive more than one copy of the message. A carbons-enabled resource that has a negative priority MUST still receive a copy of the message.</p>
<p>Messages of type "chat" that are addressed to a full JID (localpart@domain/resource) MUST be sent by the receiving server to the addressed resource. A copy of the message MUST also be sent to all of the Carbons-enabled resources for the receiving user, excluding the original destination (which is sent the original message according to the routing rules in &rfc6120; and &rfc6120;).</p>
<p>The copies sent to the Carbon-enabled resources are wrapped using &xep0297;. The wrapping message SHOULD maintain the same 'type' attribute value; the 'from' attribute MUST be the Carbon-enabled user's bare JID (e.g. "localpart@domain"); and the 'to' attribute SHOULD be the full JID of the resource receiving the copy. The content of the wrapping message MUST contain a <forwarded xmlns='urn:xmpp:forward:0'/> which contains the original message (properly namespaced as "jabber:client") and a <received xmlns='urn:xmpp:carbons:1'/> element:</p>
<p>Carbons clients want to have copies of messages going in <em>both</em> directions for other resources associated with the same user. To that end, messages of type "chat" that are sent from any resource MUST be copied by the sending server to each of the resources that have enabled Carbons, but are not the sending resource.</p>
<p>The copies sent to the Carbon-enabled resources are wrapped using &xep0297;. The wrapping message SHOULD maintain the same 'type' attribute value; the 'from' attribute MUST be the Carbon-enabled user's bare JID (e.g. "localpart@domain"); and the 'to' attribute SHOULD be the full JID of the resource receiving the copy. The content of the wrapping message MUST contain a <forwarded xmlns='urn:xmpp:forward:0'/> which contains the original message (properly namespaced as "jabber:client") and a <sent xmlns='urn:xmpp:carbons:1'/> element:</p>
<p>Some clients might want to avoid carbons on a single message, while still keeping all of the other semantics of Carbon support. This might be useful for clients sending end-to-end encrypted messages, for example.</p>
<p>To avoid a message being Carbon-copied to its other resources, the sending client MUST add a private element in the "urn:xmpp:carbons:1" namespace. When the sending server receives the message, it MUST NOT make carbon copies to the other Carbons-enabled resources, and MUST remove the private element before forwarding the message to the intended recipient.</p>
<examplecaption='Romeo's server removes the private tag before forwarding, and does NOT send carbon copies to Romeo's other resources'><![CDATA[
<p>Note that &xep0085; recommends sending chat state
notifications as chat type messages, which means that they will be
subject to Carbon-copying. This is intentional.</p>
<p>Additionally, clients that implement Carbons MAY take special use of chat state notifications:</p>
<ul>
<li>Upon receiving an inbound or outbound <em>gone</em> chat state (as a carbon copy) for a given conversation, that conversation SHOULD be removed from user display as if the user on the copied client had terminated the conversation. In order to prevent unwanted termination of conversations on other resources, clients SHOULD NOT send <em>gone</em> chat states on logout, but instead SHOULD count on the unavailable presence to convey the change in attention.</li>
<li>Upon receiving an outbound notification of any chat state other than <em>gone</em>, the copied client MAY conclude that the sending client has taken responsibility for the conversation, and make appropriate user interface modifications. For example, notifications could be suppressed on devices receiving the Carbon-copies.</li>
<p>When a receiving server attempts to deliver a forked message, and that message bounces with an error for any reason, the receiving server MUST NOT forward that error back to the original sender. The receiving server SHOULD use the sent element in the bounce to determine that an error is from a forked message.</p>
<p>This rule is used to prevent some of the half-failure modes that have been an issue in other prototocols.</p>
<p>Clients that automatically respond to messages for any reason (e.g. when in the "dnd" presence show state) MUST take adequate care when enabling Carbons in order to prevent storms or loops. Carbon copies of messages MUST NOT be auto-replied to under any circumstances. Forked inbound messages SHOULD NOT be auto-replied to, unless the client has some way of ensuring no more than one auto-reply is sent from all of its user's resources.</p>
<p>Since mobile devices often must pay for network traffic based on usage, the enablement of Carbons for such devices should be undertaken advisedly. More complicated mechanisms for controlling the Carbon-copying or forking of individual conversations may need to be added to deal with mobile clients in the future.</p>
<p>The security model assumed by this document is that all of the resources for a single user are in the same trust boundary. Any forwarded copies received by a Carbon-enabled client MUST be from that user's bare JID; any copies that do not meet this requirement MUST be ignored.</p>
<p>Outbound chat messages that are encrypted end-to-end are not often useful to receive on other resources. As such, they should use the <private/> element specified above to avoid such copying, unless the encryption mechanism is able to accommodate this protocol.</p>
<p>Upon advancement of this specification from a status of Experimental to a status of Draft, the ®ISTRAR; shall add the foregoing namespace to the registry located at &NAMESPACES;, as described in Section 4 of &xep0053;.</p>
<p>The authors wish to thank Patrick Barry, Teh Chang, Jack Erwin, Craig Kaes, Kathleen McMurry, Tory Patnoe, Peter Saint-Andre, Ben Schumacher, and Kevin Smith for their feedback.</p>