Improve security considerations and add listing JIDs.
+ Services that support issuing burner JIDs MUST advertise the fact in + responses to &xep0030; "disco#info" requests by returning an identity of + "authz/ephemeral". +
+The user requests an ephemeral identity from the server or another XMPP service by sending an IQ containing an "identity" payload qualified by the @@ -139,25 +166,50 @@ burner JIDs cannot be used.
- Services that support issuing burner JIDs MUST advertise the fact in - responses to &xep0030; "disco#info" requests by returning an identity of - "authz/ephemeral": + Services MAY choose to support listing burner JIDs by responding to + "disco#items" requests on the "urn:xmpp:burner:0" node. + Such services must advertise a feature of "urn:xmpp:burner:0" in response to + disco#info requests.
-+ This implies that services may choose to only support listing burner JIDs or + requesting burner JIDs by advertising the feature or the identity, + respectively. + Most services will likely wish to advertise both. +
++ The result of a disco#items request is a list of "item" elements with a + "jid" attribute containing the burner JID. + Burner JIDs that expire MAY include an "expires" attribute containing a + timestamp in the UTC timezone conforming to the datetime profile specified + in &xep0082;. + Note that the lack of an "expires" attribute does not indicate that the + JID never expires, just that the expiry date is unknown. + Burner JIDs are ephemeral and services MAY remove them at any time. +
+- To prevent burner JIDs from being abused for spamming, implementations MAY - rate limit all burner JIDs in use by an authn identity as a single unit. + To prevent burner JIDs from being abused for spamming, implementations + SHOULD rate limit all burner JIDs in use by an authn identity as a single + unit. However, be advised that this may provide a third party that can monitor traffic patterns with the ability to determine what burner JIDs belong to the same user. @@ -192,11 +245,13 @@
If TLS channel binding information is encoded in the local part of the - burner JID it is RECOMMENDED that the tls-unique channel binding value be - used as defined by &rfc5929; §3. + burner JID and the TLS version in use is 1.3 or greater, it is RECOMMENDED + that the tls-exporter channel binding value defined in &cbtls13; be used. + For versions of TLS less than 1.3, tls-unique SHOULD be used as defined + by &rfc5929; §3. Note that unless the master-secret fix from &rfc7627; has been implemented - channel binding information does not include enough context to successfully - verify the binding when resuming a TLS session. + tls-unique channel binding information does not include enough context to + successfully verify the binding when resuming a TLS session.
Implementations that choose to encode information in the localpart of burner @@ -208,6 +263,37 @@
This docment requires no interaction with the &IANA;.
This specification defines the following XML namespace:
++ Upon advancement of this specification from a status of Experimental to a + status of Draft, the ®ISTRAR; shall add the foregoing namespace to the + registry located at &DISCOFEATURES; as described in Section 4 of + &xep0053;. +
+
+ urn:xmpp:burner:0
+ Support for listing authorization identities and for issuing burner JIDs when paired with an appropriate identity.
+ &xep0383;
+]]>
+ + The ®ISTRAR; shall also add the foregoing namespace to the Jabber/XMPP + Protocol Namespaces Registry located at &NAMESPACES;. + Upon advancement of this specification from a status of Experimental to a + status of Draft, the ®ISTRAR; shall remove the provisional status from + this registry entry. +
+
+ urn:xmpp:burner:0
+ &xep0383;
+ provisional
+]]>
+ Upon advancement of this proposal from experimental to draft status the @@ -250,7 +336,10 @@
TODO.
++ An XML Schema will be added before this document reaches the status of + "draft". +
The author wishes to thank Philipp Hancke for his feedback.
diff --git a/xep.ent b/xep.ent index d7f0bcb2..1a06b127 100644 --- a/xep.ent +++ b/xep.ent @@ -404,6 +404,7 @@ THE SOFTWARE. XHTML Friends Network (XFN)