1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-11-30 21:22:15 -05:00
xeps/xep-0192.xml

452 lines
15 KiB
XML
Raw Normal View History

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY % ents SYSTEM 'xep.ent'>
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<xep>
<header>
<title>Proposed Stream Feature Improvements</title>
<abstract>This document proposes improvements to the XML stream features definition for inclusion in the specification that supersedes RFC 3920.</abstract>
&LEGALNOTICE;
<number>0192</number>
<status>Experimental</status>
<type>Informational</type>
<jig>Standards JIG</jig>
<dependencies>
<spec>XMPP Core</spec>
</dependencies>
<supersedes>None</supersedes>
<supersededby>None</supersededby>
<shortname>N/A</shortname>
&stpeter;
<revision>
<version>0.1</version>
<date>2006-08-16</date>
<initials>psa</initials>
<remark><p>Initial version.</p></remark>
</revision>
<revision>
<version>0.0.1</version>
<date>2006-08-10</date>
<initials>psa</initials>
<remark><p>First draft.</p></remark>
</revision>
</header>
<section1 topic='Introduction' anchor='proto'>
&BISNOTE;
<p><cite>RFC 3920</cite> introduced the concept of stream features. Implementation experience has revealed several shortcomings in the current definition and usage of stream features:</p>
<ul>
<li>Because not all stream features include a mechanism for specifying that negotiation of the feature is required, servers and clients cannot know with certainty when the stream negotiation has been completed and therefore when it is acceptable to begin sending XML stanzas over the stream.</li>
<li>The server dialback protocol does not have a stream feature associated with it.</li>
<!--<li>It is not possible to discover which SASL mechanisms a server supports after SASL negotiation has been completed.</li>-->
</ul>
<p>Those shortcomings are addressed in this document.</p>
</section1>
<section1 topic='Required Flag' anchor='required'>
<p>The XMPP stream feature for Transport Layer Security (TLS) includes a &lt;required/&gt; child element that can be used to indicate that negotiation of TLS must be completed before proceeding with the rest of the stream negotiation. However, as defined in <cite>RFC 3920</cite> the remaining stream features do not include the ability to flag that negotiation of the feature is required in order either to proceed with the negotiation or to begin sending XML stanzas. Because the non-TLS features lack a required flag, it is not possible for the initiating entity to know definitively how to proceed at any given stage in the stream negotiation, and the only way for the initiating entity to know whether it may begin sending XML stanzas is to attempt to send them (the receiving entity will return a &notauthorized; stream error if not all required features have been negotiated). This state of affairs is suboptimal. Therefore, we recommend that every stream feature must include the ability to flag the feature as required or not required.</p>
<p>The following examples show a possible flow of stream negotiation between a client and a server, using the required flag for all but one of the features. (This example is more verbose than a typical stream negotiation flow, but is provided here for the sake of completeness.)</p>
<example caption='A stream negotiation'><![CDATA[
C: <stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com'
version='1.0'>
S: <stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_123'
from='example.com'
version='1.0'>
S: <stream:features>
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
<required/>
</starttls>
</stream:features>
C: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
S: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
[TLS negotiation]
C: <stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com'
version='1.0'>
S: <stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.com'
id='c2s_234'
version='1.0'>
S: <stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>EXTERNAL</mechanism>
<mechanism>DIGEST-MD5</mechanism>
<mechanism>PLAIN</mechanism>
<required/>
</mechanisms>
</stream:features>
C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='DIGEST-MD5'/>
S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi
LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
</challenge>
C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
YXJzZXQ9dXRmLTgK
</response>
S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</challenge>
C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
C: <stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com'
version='1.0'>
S: <stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_345'
from='example.com'
version='1.0'>
S: <stream:features>
<compression xmlns='http://jabber.org/features/compress'>
<method>zlib</method>
<required/>
</compression>
</stream:features>
C: <compress xmlns='http://jabber.org/protocol/compress'>
<method>zlib</method>
</compress>
S: <compressed xmlns='http://jabber.org/protocol/compress'/>
C: <stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com'
version='1.0'>
S: <stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_456'
from='example.com'
version='1.0'>
S: <stream:features>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<required/>
</bind>
<session xmlns='urn:ietf:params:xml:ns:xmpp-session'>
<required/>
</session>
<amp xmlns='http://jabber.org/features/amp'/>
</stream:features>
C: <iq type='set' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>someresource</resource>
</bind>
</iq>
S: <iq type='result' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>somenode@example.com/someresource</jid>
</bind>
</iq>
C: <iq to='example.com' type='set' id='sess_1'>
<session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
</iq>
S: <iq from='example.com' type='result' id='sess_1'/>
]]></example>
</section1>
<section1 topic='Dialback Stream Feature' anchor='dialback'>
<p>As specified in <cite>RFC 3920</cite>, suupport for the server dialback protocol is currently adverised through inclusion of a dialback namespace prefix in the stream header:</p>
<example caption='Stream header with dialback namespace advertisement'><![CDATA[
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
id='s2s_123'>
]]></example>
<p>However, it is not clear if inclusion of the dialback namespace indicates that a server supports the server dialback protocol or it if requires negotiation of server dialback. To make this clear, we define a stream feature for server dialback.</p>
<p>Consider the following scenario, in which Server1 provides a self-signed certificate. According to Server2's local service policy, it does not consider self-signed certificates to be trustworthy and therefore requires negotiation of server dialback in this case.</p>
<example caption='A stream negotiation with server dialback'><![CDATA[
S1: <stream:stream
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com'
version='1.0'>
S2: <stream:stream
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'
id='s2s_123'
from='example.com'
version='1.0'>
S2: <stream:features>
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
<required/>
</starttls>
</stream:features>
S2: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
[TLS negotiation with self-signed certificate]
S1: <stream:stream
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com'
version='1.0'>
S2: <stream:stream
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.com'
id='c2s_234'
version='1.0'>
S2: <stream:features>
<dialback xmlns='http://jabber.org/features/dialback'>
<required/>
</dialback>
</stream:features>
[Dialback negotiation]
]]></example>
</section1>
<section1 topic='Security Considerations' anchor='security'>
<p>The improvements described herein do not introduce any new security concerns above and beyond those defined in <cite>RFC 3920</cite>.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
<p>No interaction with &IANA; is required as a result of this document.</p>
</section1>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<section2 topic='Stream Features' anchor='registrar-stream'>
<p>The &REGISTRAR; shall include 'http://jabber.org/features/dialback' in its registry of stream features.</p>
<p>The submission is as follows:</p>
<code><![CDATA[
<feature>
<ns>http://jabber.org/features/dialback</ns>
<name>dialback</name>
<element>dialback</element>
<desc>Support for Server Dialback</desc>
<doc>rfc3920bis</doc>
</feature>
]]></code>
</section2>
</section1>
<section1 topic='XML Schema' anchor='schema'>
<section2 topic='SASL Stream Feature' anchor='schema-sasl'>
<p>Note: The following provisional schema is intended to replace the existing schema for the SASL stream feature.</p>
<code><![CDATA[
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:ietf:params:xml:ns:xmpp-sasl'
xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
elementFormDefault='qualified'>
<xs:element name='mechanisms'>
<xs:complexType>
<xs:sequence>
<xs:element name='mechanism'
maxOccurs='unbounded'
type='xs:string'/>
<xs:element name='required'
minOccurs='0'
maxOccurs='1'
type='empty'/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name='auth'>
<xs:complexType>
<xs:simpleContent>
<xs:extension base='xs:string'>
<xs:attribute name='mechanism'
type='xs:string'
use='optional'/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name='challenge' type='xs:string'/>
<xs:element name='response' type='xs:string'/>
<xs:element name='abort' type='empty'/>
<xs:element name='success' type='empty'/>
<xs:element name='failure'>
<xs:complexType>
<xs:choice minOccurs='0'>
<xs:element name='aborted' type='empty'/>
<xs:element name='incorrect-encoding' type='empty'/>
<xs:element name='invalid-authzid' type='empty'/>
<xs:element name='invalid-mechanism' type='empty'/>
<xs:element name='mechanism-too-weak' type='empty'/>
<xs:element name='not-authorized' type='empty'/>
<xs:element name='temporary-auth-failure' type='empty'/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:simpleType name='empty'>
<xs:restriction base='xs:string'>
<xs:enumeration value=''/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
]]></code>
</section2>
<section2 topic='Resource Binding Stream Feature' anchor='schema-bind'>
<p>Note: The following provisional schema is intended to replace the existing schema for the Resource Binding stream feature.</p>
<code><![CDATA[
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:ietf:params:xml:ns:xmpp-bind'
xmlns='urn:ietf:params:xml:ns:xmpp-bind'
elementFormDefault='qualified'>
<xs:element name='bind'>
<xs:complexType>
<xs:sequence>
<xs:choice minOccurs='0' maxOccurs='1'>
<xs:element name='resource' type='resourceType'/>
<xs:element name='jid' type='fullJIDType'/>
</xs:choice>
<xs:element name='required'
minOccurs='0'
maxOccurs='1'
type='empty'/>
</xs:choice>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:simpleType name='resourceType'>
<xs:restriction base='xs:string'>
<xs:minLength value='1'/>
<xs:maxLength value='1023'/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name='fullJIDType'>
<xs:restriction base='xs:string'>
<xs:minLength value='8'/>
<xs:maxLength value='3071'/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
]]></code>
</section2>
<section2 topic='Session Establishment Stream Feature' anchor='schema-session'>
<p>Note: The following provisional schema is intended to replace the existing schema for the Session Establishment stream feature.</p>
<code><![CDATA[
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:ietf:params:xml:ns:xmpp-session'
xmlns='urn:ietf:params:xml:ns:xmpp-session'
elementFormDefault='qualified'>
<xs:element name='session'>
<xs:complexType>
<xs:sequence>
<xs:element name='required'
minOccurs='0'
maxOccurs='1'
type='empty'/>
</xs:sequence>
</xs:complexType>
<xs:simpleType name='empty'>
<xs:restriction base='xs:string'>
<xs:enumeration value=''/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
]]></code>
</section2>
<section2 topic='Server Dialback Stream Feature' anchor='schema-dialback'>
<p>Note: The following defines a schema for the proposed Server Dialback stream feature.</p>
<code><![CDATA[
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='http://jabber.org/features/dialback'
xmlns='http://jabber.org/features/dialback'
elementFormDefault='qualified'>
<xs:element name='dialback'>
<xs:complexType>
<xs:sequence>
<xs:element name='required'
minOccurs='0'
maxOccurs='1'
type='empty'/>
</xs:sequence>
</xs:complexType>
<xs:simpleType name='empty'>
<xs:restriction base='xs:string'>
<xs:enumeration value=''/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
]]></code>
</section2>
</section1>
<section1 topic='Acknowledgements' anchor='ack'>
<p>Thanks to Ralph Meijer and Joe Hildebrand for their comments.</p>
</section1>
</xep>