protoXEP OpenPGP for XMPP Pubsub: version 0.0.5

- add forgotten "timestamp" in example
- add implementation node on double encryption
- add clarification that sender should be a node owner

inbox/pubsub-encryption.xml

@@ -31,9 +31,21 @@
     <jid>goffi@jabber.fr</jid>
   </author>
   <revision>
-    <version>0.0.4</version>
+    <version>0.0.5</version>
     <date>2022-10-12</date>
     <initials>jp</initials>
+    <remark>
+      <ul>
+        <li>add forgotten "timestamp" in example</li>
+        <li>add implementation node on double encryption</li>
+        <li>add clarification that sender should be a node owner</li>
+      </ul>
+    </remark>
+  </revision>
+  <revision>
+    <version>0.0.4</version>
+    <date>2022-10-11</date>
+    <initials>jp</initials>
     <remark>
       <ul>
         <li>add a security note to indicate that &lt;shared-secret/&gt; and &lt;revoke/&gt; sender must be checked.</li>
@@ -140,6 +152,7 @@
     jid='pubsub.capulet.lit'
     node='123abc'
     id='1234-abcd-5678-efgh'
+    timestamp='2022-10-10T13:24:31Z'
     type='http://www.w3.org/2005/Atom'
     >
     ZSRD5lK9mz-5VHNyu2N1XLiJZ8I87jkv85ceZkVrOGA
@@ -181,6 +194,10 @@
   <p>Note that encrypted items MAY be mixed with plain text items: for instance if a blog is public, but some of its items are private. However the proper handling of this use case is out of scope of this specification.</p>
 </section1>
 
+<section1 topic='Implementation Notes' anchor='impl'>
+  <p>This specification uses &xep0373; independently of &xep0374;, implementations SHOULD avoid double encryption (e.g. by excluding &lt;openpgp/&gt; element qualified by 'urn:xmpp:openpgp:0' namespace from encryption by XEP-0374 implementation), and MUST ensure that element is correctly decrypted. Double encryption should be checked, and the &lt;openpgp/&gt; element MUST be decrypted even if OXIM (XEP-0374) is not being used.</p>
+</section1>
+
 <section1 topic='Discovering Support' anchor='disco'>
   <p>If a client supports the protocol specified in this XEP, it MUST advertise it by including the "urn:xmpp:openpgp:pubsub:0" discovery feature in response to a &xep0030; information request:</p>
 
@@ -206,7 +223,7 @@
 
 <section1 topic='Security Considerations' anchor='security'>
   <ul>
-    <li>When receiving a &lt;shared-secret/&gt; or a &lt;revoke/&gt; element, the receiving client MUST ensure that the signing sender is the same as the one for all known shared secrets of this pubsub node. This prevents a malicious actor for misleading the client into using a non-legitimate secret.</li>
+    <li>When receiving a &lt;shared-secret/&gt; or a &lt;revoke/&gt; element, the receiving client MUST ensure that the signing sender is the same as the one for all known shared secrets of this pubsub node (usually a node owner). This prevents a malicious actor for misleading the client into using a non-legitimate secret.</li>
     <li>To limit the surface of attack, the access model of an encrypted node should be set to "whitelist" and only people having the shared key should be allowed to retrieve encrypted items.</li>
     <li>If the shared key is compromised, or a user access is revoked, the key MUST be rotated. However, only new items are encrypted with the new key, any previous item should be considered as compromised too.</li>
     <li>Sometimes client may use metadata to construct item ID, this is notably the case for some &xep0277; implementation, as the resulting item ID is used to generate user friendly URLs. To avoid metadata leakage, clients SHOULD NOT derivate the item ID from any data of the item when pubsub encryption is used.</li>