From 56f57825443a8a5f3f1ccf8136de5e6493597882 Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Fri, 28 Oct 2016 12:44:44 -0500 Subject: [PATCH] Add initial draft of burner JID xep to inbox --- inbox/burner.xml | 242 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 242 insertions(+) create mode 100644 inbox/burner.xml diff --git a/inbox/burner.xml b/inbox/burner.xml new file mode 100644 index 00000000..18c18e76 --- /dev/null +++ b/inbox/burner.xml @@ -0,0 +1,242 @@ + + +%ents; +]> + + +
+ Burner JIDs + + A mechanism by which users may request arbitrary anonymizing "burner" JIDs + for short term use. + + &LEGALNOTICE; + xxxx + ProtoXEP + Standards Track + Standards + Council + + XMPP Core + + + + NOT_YET_ASSIGNED + &sam; + + 0.0.1 + 2016-10-28 + ssw +

First draft.

 + +
+ +

+ In many XMPP applications it is desirable to be able to act anonymously to + prevent leaking personally identifiable information (PII) to a third party. + Traditionally this is accomplished using SASL authentication and the + ANONYMOUS mechanism as detailed in &xep0175;, however, ANONYMOUS auth + provides no mechanism for changing identities (requesting a new JID) without + creating a new session, and server operators may not wish to allow anonymous + authentication to prvent abuse. +

+

+ This specification solves these problems by decoupling anonymous identity + management from authentication. + This allows logged in users (anonymous or otherwise at the server operators + disgression) to request a new temporary identifier, a "burner" JID, which + may be used by its owner in any context where they would normally use their + persistent primary JID. +

+ + +
    +
  • + A server or service is able to issue a unique ephemeral identity to a user + that supplies the server or service with a public key. +
    • +
  • + A user is able to generate any number of burner JIDs from using their + private key which can be verified against their ephemeral identity on the + server. +
    • +
+ + +
+ +
Burner JID
+
+ A temporary JID that is not valid for the purpose of authentication but + which may be used in place of the authentication identity in a + pre-authenticated session. +
+ + +
Ephemeral identity
+
+ The identity of a user on the server comprising a shared secret and any + associated burner JIDs or other stored information about the user. +
+ + +
Authentication identity
+
+ The users normal identity and JID which they use to autenticate with the + server and create new XMPP sessions. +
+ +
+ + +
    +
  • + As a user concerned about SPAM I want to join a public chat room + anonymously to prevent JID harvesting. +
    • +
  • + As the author of a social website I want to allow users to create + ephemeral identities which can be used to contact them even if they have + not granted access to their personal information. +
    • +
  • + As a server operator I want to allow users to act anonymously, but also + want a way to rate limit the creation of ephemeral identities associated + with a given authentication identity. +
    • +
+ + +

+ The user requests an ephemeral identity from the server or another XMPP + service by sending an IQ containing an "identity" payload qualified by the + urn:xmpp:burner:0 namespace. +

+ + +]]> +

+ If the service wishes to issue an ephemeral identity to the user it replies + with a new burner JID: +

+ + + + hfgnINTSA-ciCLz6NhTtCD5Jr0k:1477672278884j@example.net/4db06f06-1ea4-11dc-aca3-000bcd821bfb + + +]]> + + +

+ Services that support issuing burner JIDs MUST advertise the fact in + responses to &xep0030; "disco#info" requests by returning an identity of + "": +

+ + + + + … + + + +…]]> + + +

+ It may be impractical to store verification information for every burner JID + issued by the system. + To this end it is RECOMMENDED that the localpart of a burner JID be an + HMAC-SHA-2 which includes the users JID or another unique identifier, an + expiration or issued time for the burner JID if appropriate, TLS channel + binding information, session information, or any other data the server + wishes to verify. + The format of this key or its input values is left as an implementation + decision. + As with persistent JIDs, the client MUST NOT assign any meaning to the + localpart or resourcepart of a burner JID. +

+ + +

+ To prevent burner JIDs from being abused for spamming, implementations + SHOULD rate limit all burner JIDs in use by a given authentication identity + as a single unit. +

+

+ When a users session ends it is RECOMMENDED that any ephemeral identities + associated with their session be purged. +

+

+ If TLS channel binding information is encoded in the burner JID it is + RECOMMENDED that the tls-unique channel binding value be used as defined by + &rfc5929; §3. + However, for resumed sessions the JIDs SHOULD be considered invalid unless + the master-secret fix from &rfc7627; has been implemented because otherwise + resumption does not include enough context to successfully verify the + binding. +

+ + +

This docment requires no interaction with the &IANA;.

+ + + +

+ Upon advancement of this proposal from experimental to draft status the + ®ISTRAR; will include a category of "authz" in its registry at + &DISCOCATEGORIES;. + The registrar will also add a value of "ephemeral" to that category. + The registry submission is as follows: +

+ + authz + Services and nodes that provide authorization identities. + + ephemeral + + An authorization service that provides ephemeral "burner" identities. + + XEP-XXXX + + +]]> +

+ Future submissions to the XMPP Registrar may register additional types. +

+ + +

This specification defines the following XML namespaces:

+
    +
  • urn:xmpp:burner:0
    • +
+

+ Upon advancement of this proposal from experimental to draft status the + registrar will include the foregoing namespaces in its registry at + &NAMESPACES; as governed by &xep0053;. +

+

+ + + &NSVER; + + + +

TODO.

+ +