From 424dd6c59ba528f20658f3e85ebc1841d2ca65af Mon Sep 17 00:00:00 2001
From: Sam Whited The Diffie-Hellman key agreement algorithm This AKE uses a hybrid protocol derived from the Internet Key Exchange (IKE) The Diffie-Hellman key agreement algorithm provides a mechanism to allow key establishment in a scalable and secure way. It allows two parties to agree on a shared value without requiring encryption. An Authenticated Key Agreement (AKE) is a secure protocol ensuring that in addition to securely sharing a secret, the two parties can be certain of each other’s identities, even when an active attacker exists. This AKE uses a hybrid protocol derived from the Internet Key Exchange (IKE) and the OAKLEY key determination protocol. The purpose is to negotiate and provide authenticated key material for security association (SA) in a protected manner. The basic mechanism is the Diffie-Hellman Key Exchange. It provides the following addition to base key agreement: The anti clogging tokens, or cookies, provide a weak form of source address identification for both parties. The cookies exchange can be completed before they perform the expensive computations later in the protocol. The cookies are used also for key naming. The sender starts with an SI request, using the semantics from XEP-0095: In order to maintain as much backward compatibility as possible, partial escape sequences and escape sequences corresponding to characters not on the list of disallowed characters MUST be ignored (with the exception of the escaping character '\' itself in the rare case when the source address includes the sequence '\5c'). However, \5c would be escaped if found in the source address (e.g., a source address of "c:\5commas@example.com" would be escaped to "c\3a\5c5commas@example.com") and unescaped if contained in the JID-on-the-wire (e.g., a JID-on-the-wire of "c\3a\5c5commas@example.com" would be unescaped back to "c:\5commas@example.com"). * Note: The User Avatar specification (XEP-0084) has not yet advanced to a status of Draft within the XSF's standards process, and the Extended Presence Protocol Suite will not be submitted for approval until it does so. * Note: The User Avatar specification (XEP-0084) has not yet advanced to a status of Draft within the XSF's standards process, and the Extended Presence Protocol Suite will not be submitted for approval until it does so. Discovery of extended presence pubsub nodes is expedited through the use of Personal Eventing via Pubsub (PEP), since in PEP services there is a one-to-one relationship between payload types and NodeIDs. The NodeIDs MUST be as follows: Naturally, not all of these use cases apply to all service types (e.g., adding a user may not apply to a multi-user chat service). An implementation or deployment MAY support any subset of the use cases defined herein. In addition, although this document aims to define common use cases, an implementation or deployment MAY support additional commands not defined herein, which may or may not be publicly registered. Note: The text that follows assumes that implementors have read and understood XEP-0050: Ad-Hoc Commands and XEP-0004: Data Forms. Note: The text that follows assumes that implementors have read and understood XEP-0050: Ad-Hoc Commands and XEP-0004: Data Forms. A user is defined as any entity that has a persistent relationship with a service (most commonly through the creation a registered account with the service) and whose account is in some sense hosted by the service. Adding a user MUST result in the creation of an account, along with any implementation-specific data for such an account (e.g., database entries or a roster file). The command node for this use case SHOULD be "http://jabber.org/protocol/admin#add-user". A sample protocol flow for this use case is shown below. When publishing a stream via the <sipub/> element, the identifier SHOULD NOT be used as-is for the <si/> element, since a single publication will likely result in multiple <si/> requests, possibly from the same receiver. A user might want to forward all the unread messages residing at
- the remote client to the local client (e.g. when the remote client was
- accidentally left on-line, and has received messages in the meantime).
+ A user might want to forward all the unread messages residing at the
+ remote client to the local client (e.g. when the remote client was
+ accidentally left on-line, and has received messages in the meantime).
+
For example, suppose Romeo sends a message to Juliet, thinking she is
- still on her balcony. The balcony client receives the message:
-
However, Juliet is in her chamber, so she doesn't know about the message
- (yet). Realizing she left her balcony client unattended, she sends a
- request to the remote client to forward all unread messages.
-
-
The client forwards all unread messages to the local client, adding
- information about the origin of the message (using the 'ofrom'
- &xep0033; address, and the &xep0203; timestamp of the original message).
- The chamber client receives both these messages and a
- confirmation that the command was completed.
-
+ A client MAY provide a more fine-grained implementation, e.g. by
+ presenting the requester an extra form to select which messages have to
+ be forwarded.
+ It might be desirable to remotely set some run-time options of
- a client. For example, when neighbours complain about the sounds your
- client makes while you're at another location, you could turn the
- sounds off at the remote client.
-
-
REQUIRED *
-
Unless an error occurs (see the - Error Handling section below), the service - SHOULD return the appropriate form.
- -+ Unless an error occurs (see the Error + Handling section below), the service SHOULD return the + appropriate form. +
+The remote client sets the values of the options to their requested - value. If a variable is omitted, the client SHOULD NOT change the value of the - corresponding option.
- -+ The remote client sets the values of the options to their requested + value. + If a variable is omitted, the client SHOULD NOT change the value of the + corresponding option. +
+Notification of completion MAY include the processed data in a data - form of type 'result'.
++ Notification of completion MAY include the processed data in a data form + of type 'result'. +
- - -Unless an error occurs (see the - Error Handling section below), the service - SHOULD return the appropriate form.
- +]]> ++ Unless an error occurs (see the Error Handling + section below), the service SHOULD return the appropriate form. +
++ The remote client accepts the selected file transfers, and informs the + local client of completion. +
Meeting on virtual locations is very similar to meeting peers in a public chat room. But web pages can be regarded as 2 dimensional. They very often cover the entire screen. They use graphics elements for their content. Plainly speaking: representing users as figures or other images fits well to web pages. Once they are shown as individual figures, a line based chat and a chat window are not required any more (though a chat window can still be used). The figures can move around and talk in chat bubble style. Chat bubbles in turn enable incremental chat.
-This document describes protocol elements for -
This document describes protocol elements for:
+While users are browsing the web, they enter and leave many rooms. They meet many people and some of them multiple times. Minimum overall traffic and minimum traffic on the user connection are primary design goals. The user connection is limited by typical karma settings of jabber servers. Logging in to virtual locations (rooms) must be quick in terms of round trips and cheap in terms of traffic. Once logged in to a room, the traffic on the user connection should be independent of the number of peers already present.
-The extensions have been designed to be: -
The extensions have been designed to be:
+The traffic goals can be met by using only the initial &PRESENCE; stanza, which carries all required information, so that no peer-to-peer messages are required on entering. VP clients which gather additional information about peers (e.g. avatar images) should cache the data so that it can be re-used. This is especially important since users browsing virtually connected locations (i.e. linked pages) may meet very often in a short time.
@@ -146,33 +144,31 @@The mapping process should try to protect the privacy of the user. After all, virtual presence is a violation of privacy in general, because people know where other people are (virtually). This is critical, if compared to the totally un-observed Web without virtual presence. In the real world people are used to being seen in physical locations, but only by others who are physically present in the same location. The mapping process should emulate this restriction. The general idea is to include a one way function (message digest) during the mapping process to prohibit the discovery of 'interesting' chat room names. In other words: observers must do the forward mapping and enter a room to see who is there or discover random room names without being able to re-create the source URL. So, they may be able to find people in random rooms, but do not know the virtual location.
-This mapping process is designed to -
This mapping process is designed to:
+For more information about 'YoungHero' beyond the nickname Juliet needs a JID (see below for anonymous variants of the avatar image). Non-anonymous rooms will supply the JIDs automatically. But we suggest that rooms, which make up the virtual presence network are configured to be anonymous so that users can choose if they want to disclose the JID. We propose an extension to the &PRESENCE; stanza for users to supply their JID automatically to peers in anonymous rooms with minimum traffic even for many participants.
-Note: even though Romeo sends a JID, the systems is still anonymous. Romeo could send any JID. He may send a (fake) JID that is just the base address of his storage, but not his communication address. In anonymous rooms Juliet will use any JID Romeo provides. If the room is not anonymous, then Romeo's client may use Juliet's actual JID.
-Entering the room Juliet would add a JID-element to the initial &PRESENCE; stanza.
Note: disclosing the JID is usually not advisable in public rooms. We decided to offer the functionality as an option, for 2 reasons: -
Note: disclosing the JID is usually not advisable in public rooms. We decided to offer the functionality as an option, for 2 reasons:
+Caching requires a persistent and unique id per user. While a message digest of the JID would be sufficient for caching extended information, it is not sufficient for retrieving extended information.
The video format is the common, widely used webcam format introduced by Netscape (JPEG server-pushed).
-In the real world there are many Romeos and Juliets even on the same page at the same time. Some of them with a webcam. Depending on the default settings of VP clients all users (say 8) will automatically request the videos of the subset of users equipped with a webcam (say 3). This automatically creates many video streams, 3 streams on the dialup line of all users and 7 streams on the line of webcam users. We therefore suggest the following optimizations and limitations: -
In the real world there are many Romeos and Juliets even on the same page at the same time. Some of them with a webcam. Depending on the default settings of VP clients all users (say 8) will automatically request the videos of the subset of users equipped with a webcam (say 3). This automatically creates many video streams, 3 streams on the dialup line of all users and 7 streams on the line of webcam users. We therefore suggest the following optimizations and limitations:
+The purpose of these limitations is to allow for webcams which send optimized streams of small images (reducing the data volume by a factor of 3) while supporting usual webcams.
@@ -626,29 +615,29 @@ http://www.shakespeare.com/_vpi.xml]]>This section is intended as a guideline for the implementation of the mapping process.
-The mapping has 2 phases: -
The mapping has 2 phases:
+
- We get a URL from the web browser, say
-
- We try to fetch the configuration file from
-
- The request fails (the failure is noted in the cache), and we try
-
- The request fails again (the failure is noted in the cache). We try
-
- We do not find it (the failure is noted in the cache), and we revert to the
- global file (which one depends on the client configuration)
-
- The request returns (and the data is stored in the cache):
-
We get a URL from the web browser, say:
+ We try to fetch the configuration file from
+
+ The request fails (the failure is noted in the cache), and we try
+
+ The request fails again (the failure is noted in the cache). We try
+
+ + We do not find it (the failure is noted in the cache), and we revert to + the global file (which one depends on the client configuration) +
+
+ The request returns (and the data is stored in the cache):
+
@@ -670,20 +659,25 @@ http://www.shakespeare.com/_vpi.xml]]>
]]>
-
- We try to find a <location/> that matches our URL. We find:
- We try to find a <location/> that matches our URL. We find:
+
http://vpi.vp.bluehands.de/lluna-2.5.2/dotcom-vpi.xml
]]>
- This means that all .com domains are forwarded to a separate VPI file.
+
+ This means that all .com domains are forwarded to a separate VPI file.
We fetch:
-
-
- We store the result in the cache and search for a matching <location/>
- again. We find the default section (rest of the file omitted, the match-attribute is more general than the one of the previous <delegate/>, because here we are already in the .com domain):
-
+
+
+ We store the result in the cache and search for a matching
+ <location/> again.
+ We find the default section (rest of the file omitted, the match-attribute
+ is more general than the one of the previous <delegate/>, because
+ here we are already in the .com domain):
+
+
xmpp:location.virtual-presence.org
@@ -693,90 +687,88 @@ http://www.shakespeare.com/_vpi.xml]]>
...]]>
- The <location/> matches, so we get a virtual presence
- service address and a set of rules.
- The virtual presence server is
-
-
- The protocol to use is
-
-
- There mapping rule is:
-
+ The <location/> matches, so we get a virtual presence service
+ address and a set of rules.
+ The virtual presence server is
+
+
+ The protocol to use is
+
+ There mapping rule is:
+ \1
]]>
-
- The result of the first phase is a mapping rule, which will be
- applied to all URLs in the same folder as the original URL. In regex-speech:
-
-
- To apply the mask only to URLs in the same URL-path folder is a security
- requirement, so that 'inner' VPI files
- from websites can not configure the mapping of 'outer' folders or 'siblings'.
-
-
- The original URL was:
-
-
- So, the security mask is (the rule applies only to URLs in the same folder as the original URL):
-
- If the security mask applies to a URL can be verified by a simple string-compare without using a regular expression.
-
-
- The <location/> has a match attribute. This is the user supplied mask
- of the rule:
-
-
+
+ The result of the first phase is a mapping rule, which will be applied to
+ all URLs in the same folder as the original URL.
+ In regex-speech:
+
+
+
+ To apply the mask only to URLs in the same URL-path folder is a security
+ requirement, so that 'inner' VPI files from websites can not
+ configure the mapping of 'outer' folders or
+ 'siblings'.
+
+ The original URL was:
+
+
+ So, the security mask is (the rule applies only to URLs in the same folder
+ as the original URL):
+
+
+
+ If the security mask applies to a URL can be verified by a simple
+ string-compare without using a regular expression.
+
+
+ The <location/> has a match attribute.
+ This is the user supplied mask of the rule:
+
+
-
- The URL where we want to meet people is:
-
-
- We got many rules with a security mask (from the folder of the original URL) and a regular expression
- (from the match-attribute). For each new URl we check the URL against the security mask and the regular expression.
- One of the rules applies to the URL:
-
-
- The regular expression
-
-
- and the room <name>
-
-
- will extract the first level folder from the URL. The URL
+
The URL where we want to meet people is:
-
- gives:
+ + We got many rules with a security mask (from the folder of the original + URL) and a regular expression (from the match-attribute). + For each new URl we check the URL against the security mask and the + regular expression. + One of the rules applies to the URL: +
+
+ The regular expression
+
+ and the room <name>
+
+ will extract the first level folder from the URL. The URL
+
+ gives:
-
- The <digest/>-tag tells us to hash the regex replacement result with
- the default message digest SHA1. So we get:
+ + The <digest/>-tag tells us to hash the regex replacement result with + the default message digest SHA1. So we get: +
-
- The <prefix/>-tag tells us to prefix with
+ The <prefix/>-tag tells us to prefix with
-
- and finally the ID of the virtual location (the room name) is:
+ and finally the ID of the virtual location (the room name) is:
-
- From the <service/>
+ From the <service/>
-
- the client knows the transport protocol and the address. The Jabber protocol will
- be used as transport protocol and the Jabber conference room JID is
+ + the client knows the transport protocol and the address. The Jabber + protocol will be used as transport protocol and the Jabber conference room + JID is +
-
-
-
These namespaces need to be reviewed and/or registered with the XMPP Registrar as a result of this document. -
+ These namespaces need to be reviewed and/or registered with the XMPP + Registrar as a result of this document:
+The virtual presence on Jabber has been designed to fit easily into the existing Jabber infrastructure including existing software components, clients, and protocols. It turns out that Jabber offers everything necessary for basic virtual presence.
-This document proposes a mapping process in order to create a space for virtual presence on top of the URL based Web infrastructure. It also proposes namespace extensions for the protocol, which make virtual presence on web pages more convenient. The core features are: -
+ This document proposes a mapping process in order to create a space for + virtual presence on top of the URL based Web infrastructure. + It also proposes namespace extensions for the protocol, which make virtual + presence on web pages more convenient. + The core features are: +
+There are definitely more features possible. Suggestions are welcome
Security considerations for XMPP presence and PEP publication are described in RFC 6120, RFC 6121, XEP-0060, and XEP-0163.
-Advertising a telephone number, SIP URI, or other real-time communication address to multiple contacts in an unencrypted way (e.g., via XMPP presence or PEP in cases where not all hops are TLS-protected) introduces the possibility of information leakage and subsequent attacks such as unsolicited phone calls. Clients are advised to appropriately warn users about the dangers of such attacks. Alternatively, if the address is especially sensitive (say, a hashname &rfc6920; for use in a system that enables direct private communication outside of XMPP), then a client could send it in a message that itself is end-to-end encrypted.
Per a vote of the XMPP Council, advanced specification to Active.
Per a vote of the XMPP Council, advanced specification to Active.
A message translated by the originating XMPP entity or a transparent XMPP entity delivered to a remote entity with the pivot languages used to accomplish the translation. The source language is known because there is no
A message translated by the originating XMPP entity or a transparent XMPP entity delivered to a remote entity with the pivot languages used to accomplish the translation. The source language is known because there is no <x/> translation tag describing it. When a translation is done via a pivot language, the pivot languages and their order of use MUST be specified.
A message translated by the originating XMPP entity or a transparent XMPP entity delivered to a remote entity using pivot languages and machine translation. The source language is known because there is no &X; translation tag describing it.
@@ -212,7 +212,7 @@Service Discovery is used to determine if a JID provides translation services. The JID can also be a bot (e.g., <towerofbabel@shakespeare.lit>) or a server component (e.g., <translation.shakespeare.lit>).
@@ -242,7 +242,7 @@The supported languages and other details for the service must be known to use it. It is permissible for a translation service to provide multiple translation engines for the same language pairing -- if this is done, then a separate <item/> tag MUST be used for each pairing. A 'dictionary' attribute MAY be used to specify the dictionary for a specific <item/>. In order to specify more than one dictionary for a given language pairing then a separate <item/> tag MUST be used for each dictionary specification for that language pairing.
@@ -260,27 +260,27 @@If a specific dictionary is required you MAY request a dictionary. This SHOULD have been returned when discoing the server although a dictionary MAY be requested which was not. The dictionaries are translation engine specific and are free form text.
@@ -333,20 +332,20 @@If the translation service cannot complete the translation it SHOULD return a
If the translation service cannot complete the translation it SHOULD return a <item-not-found/> error indicating some part of the translation request was problematic, unless doing so would violate the privacy and security considerations in XMPP Core and XMPP IM, or local security and privacy policies.
If privacy or security considerations make returning an
If privacy or security considerations make returning an <item-not-found/> error not feasible it SHOULD return a <service-unavailable/> error.
-
+
The protocol documented by this schema is defined in
@@ -453,7 +452,7 @@
-
+
@@ -461,15 +460,15 @@
- ]]>
+]]>
@@ -502,7 +501,7 @@
-
+
@@ -510,7 +509,7 @@
- ]]>
+]]>
Modified order of explanation to ease understanding; removed discussion of alternate algorithms, which is better left to a more in-depth security analysis.
Recommended hashing the secret to satisfy length requirement; hostnames and Stream ID should be separated by spaces to avoid ambiguity; updated example to match revisions to RFC 3920.
Clarified and corrected roles of originating and receiving servers; updated recommendation and main example to use HMAC-SHA256 for key generation.