mirror of
https://github.com/moparisthebest/xeps
synced 2024-11-21 16:55:07 -05:00
Add initial draft of burner JID xep to inbox
This commit is contained in:
parent
7ba53e8bcd
commit
56f5782544
242
inbox/burner.xml
Normal file
242
inbox/burner.xml
Normal file
@ -0,0 +1,242 @@
|
||||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<!DOCTYPE xep SYSTEM 'xep.dtd' [
|
||||
<!ENTITY % ents SYSTEM 'xep.ent'>
|
||||
%ents;
|
||||
]>
|
||||
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
|
||||
<xep>
|
||||
<header>
|
||||
<title>Burner JIDs</title>
|
||||
<abstract>
|
||||
A mechanism by which users may request arbitrary anonymizing "burner" JIDs
|
||||
for short term use.
|
||||
</abstract>
|
||||
&LEGALNOTICE;
|
||||
<number>xxxx</number>
|
||||
<status>ProtoXEP</status>
|
||||
<type>Standards Track</type>
|
||||
<sig>Standards</sig>
|
||||
<approver>Council</approver>
|
||||
<dependencies>
|
||||
<spec>XMPP Core</spec>
|
||||
</dependencies>
|
||||
<supersedes/>
|
||||
<supersededby/>
|
||||
<shortname>NOT_YET_ASSIGNED</shortname>
|
||||
&sam;
|
||||
<revision>
|
||||
<version>0.0.1</version>
|
||||
<date>2016-10-28</date>
|
||||
<initials>ssw</initials>
|
||||
<remark><p>First draft.</p></remark>
|
||||
</revision>
|
||||
</header>
|
||||
<section1 topic='Introduction' anchor='intro'>
|
||||
<p>
|
||||
In many XMPP applications it is desirable to be able to act anonymously to
|
||||
prevent leaking personally identifiable information (PII) to a third party.
|
||||
Traditionally this is accomplished using SASL authentication and the
|
||||
ANONYMOUS mechanism as detailed in &xep0175;, however, ANONYMOUS auth
|
||||
provides no mechanism for changing identities (requesting a new JID) without
|
||||
creating a new session, and server operators may not wish to allow anonymous
|
||||
authentication to prvent abuse.
|
||||
</p>
|
||||
<p>
|
||||
This specification solves these problems by decoupling anonymous identity
|
||||
management from authentication.
|
||||
This allows logged in users (anonymous or otherwise at the server operators
|
||||
disgression) to request a new temporary identifier, a "burner" JID, which
|
||||
may be used by its owner in any context where they would normally use their
|
||||
persistent primary JID.
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='Requirements' anchor='reqs'>
|
||||
<ul>
|
||||
<li>
|
||||
A server or service is able to issue a unique ephemeral identity to a user
|
||||
that supplies the server or service with a public key.
|
||||
</li>
|
||||
<li>
|
||||
A user is able to generate any number of burner JIDs from using their
|
||||
private key which can be verified against their ephemeral identity on the
|
||||
server.
|
||||
</li>
|
||||
</ul>
|
||||
</section1>
|
||||
<section1 topic='Glossary' anchor='glossary'>
|
||||
<dl>
|
||||
<di>
|
||||
<dt>Burner JID</dt>
|
||||
<dd>
|
||||
A temporary JID that is not valid for the purpose of authentication but
|
||||
which may be used in place of the authentication identity in a
|
||||
pre-authenticated session.
|
||||
</dd>
|
||||
</di>
|
||||
<di>
|
||||
<dt>Ephemeral identity</dt>
|
||||
<dd>
|
||||
The identity of a user on the server comprising a shared secret and any
|
||||
associated burner JIDs or other stored information about the user.
|
||||
</dd>
|
||||
</di>
|
||||
<di>
|
||||
<dt>Authentication identity</dt>
|
||||
<dd>
|
||||
The users normal identity and JID which they use to autenticate with the
|
||||
server and create new XMPP sessions.
|
||||
</dd>
|
||||
</di>
|
||||
</dl>
|
||||
</section1>
|
||||
<section1 topic='Use Cases' anchor='usecases'>
|
||||
<ul>
|
||||
<li>
|
||||
As a user concerned about SPAM I want to join a public chat room
|
||||
anonymously to prevent JID harvesting.
|
||||
</li>
|
||||
<li>
|
||||
As the author of a social website I want to allow users to create
|
||||
ephemeral identities which can be used to contact them even if they have
|
||||
not granted access to their personal information.
|
||||
</li>
|
||||
<li>
|
||||
As a server operator I want to allow users to act anonymously, but also
|
||||
want a way to rate limit the creation of ephemeral identities associated
|
||||
with a given authentication identity.
|
||||
</li>
|
||||
</ul>
|
||||
</section1>
|
||||
<section1 topic='Business Rules' anchor='rules'>
|
||||
<p>
|
||||
The user requests an ephemeral identity from the server or another XMPP
|
||||
service by sending an IQ containing an "identity" payload qualified by the
|
||||
urn:xmpp:burner:0 namespace.
|
||||
</p>
|
||||
<example caption='User requests ephemeral identity'><![CDATA[
|
||||
<iq from='caiusmarcius@example.net/corioli'
|
||||
id='h7ns81g'
|
||||
to='example.net'
|
||||
type='get'>
|
||||
<identity xmlns='urn:xmpp:burner:0'/>
|
||||
</iq>]]></example>
|
||||
<p>
|
||||
If the service wishes to issue an ephemeral identity to the user it replies
|
||||
with a new burner JID:
|
||||
</p>
|
||||
<example caption='Server issues burner JID'><![CDATA[
|
||||
<iq from='example.net'
|
||||
id='h7ns81g'
|
||||
to='caiusmarcius@example.net/corioli'
|
||||
type='result'>
|
||||
<identity xmlns='urn:xmpp:burner:0'>
|
||||
<jid>
|
||||
hfgnINTSA-ciCLz6NhTtCD5Jr0k:1477672278884j@example.net/4db06f06-1ea4-11dc-aca3-000bcd821bfb
|
||||
</jid>
|
||||
</identity>
|
||||
</iq>]]></example>
|
||||
</section1>
|
||||
<section1 topic='Determining Support' anchor='support'>
|
||||
<p>
|
||||
Services that support issuing burner JIDs MUST advertise the fact in
|
||||
responses to &xep0030; "disco#info" requests by returning an identity of
|
||||
"":
|
||||
</p>
|
||||
<example caption='Service responds to disco#info query'><![CDATA[
|
||||
<iq type='result'
|
||||
from='muc.example.net'
|
||||
to='caiusmarcius@example.net/corioli'
|
||||
id='k3hs5174'>
|
||||
<query xmlns='http://jabber.org/protocol/disco#info'>
|
||||
<identity category='conference' type='text'/>
|
||||
<identity category='authz' type='ephemeral'/>
|
||||
…
|
||||
<feature var='http://jabber.org/protocol/disco#info'/>
|
||||
<feature var='http://jabber.org/protocol/disco#items'/>
|
||||
<feature var='http://jabber.org/protocol/muc'/>
|
||||
…]]></example>
|
||||
</section1>
|
||||
<section1 topic='Implementation Notes' anchor='impl'>
|
||||
<p>
|
||||
It may be impractical to store verification information for every burner JID
|
||||
issued by the system.
|
||||
To this end it is RECOMMENDED that the localpart of a burner JID be an
|
||||
HMAC-SHA-2 which includes the users JID or another unique identifier, an
|
||||
expiration or issued time for the burner JID if appropriate, TLS channel
|
||||
binding information, session information, or any other data the server
|
||||
wishes to verify.
|
||||
The format of this key or its input values is left as an implementation
|
||||
decision.
|
||||
As with persistent JIDs, the client MUST NOT assign any meaning to the
|
||||
localpart or resourcepart of a burner JID.
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='Security Considerations' anchor='security'>
|
||||
<p>
|
||||
To prevent burner JIDs from being abused for spamming, implementations
|
||||
SHOULD rate limit all burner JIDs in use by a given authentication identity
|
||||
as a single unit.
|
||||
</p>
|
||||
<p>
|
||||
When a users session ends it is RECOMMENDED that any ephemeral identities
|
||||
associated with their session be purged.
|
||||
</p>
|
||||
<p>
|
||||
If TLS channel binding information is encoded in the burner JID it is
|
||||
RECOMMENDED that the tls-unique channel binding value be used as defined by
|
||||
&rfc5929; §3.
|
||||
However, for resumed sessions the JIDs SHOULD be considered invalid unless
|
||||
the master-secret fix from &rfc7627; has been implemented because otherwise
|
||||
resumption does not include enough context to successfully verify the
|
||||
binding.
|
||||
</p>
|
||||
</section1>
|
||||
<section1 topic='IANA Considerations' anchor='iana'>
|
||||
<p>This docment requires no interaction with the &IANA;.</p>
|
||||
</section1>
|
||||
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
|
||||
<section2 topic='Service Discovery Category/Type' anchor='registrar-disco'>
|
||||
<p>
|
||||
Upon advancement of this proposal from experimental to draft status the
|
||||
®ISTRAR; will include a category of "authz" in its registry at
|
||||
&DISCOCATEGORIES;.
|
||||
The registrar will also add a value of "ephemeral" to that category.
|
||||
The registry submission is as follows:
|
||||
</p>
|
||||
<code><![CDATA[
|
||||
<category>
|
||||
<name>authz</name>
|
||||
<desc>Services and nodes that provide authorization identities.</desc>
|
||||
<type>
|
||||
<name>ephemeral</name>
|
||||
<desc>
|
||||
An authorization service that provides ephemeral "burner" identities.
|
||||
</desc>
|
||||
<doc>XEP-XXXX</doc>
|
||||
</type>
|
||||
</category>
|
||||
]]></code>
|
||||
<p>
|
||||
Future submissions to the XMPP Registrar may register additional types.
|
||||
</p>
|
||||
</section2>
|
||||
<section2 topic='Protocol Namespaces' anchor='registrar-ns'>
|
||||
<p>This specification defines the following XML namespaces:</p>
|
||||
<ul>
|
||||
<li>urn:xmpp:burner:0</li>
|
||||
</ul>
|
||||
<p>
|
||||
Upon advancement of this proposal from experimental to draft status the
|
||||
registrar will include the foregoing namespaces in its registry at
|
||||
&NAMESPACES; as governed by &xep0053;.
|
||||
</p>
|
||||
<p></p>
|
||||
</section2>
|
||||
<section2 topic='Namespace Versioning' anchor='registrar-versioning'>
|
||||
&NSVER;
|
||||
</section2>
|
||||
</section1>
|
||||
<section1 topic='XML Schema' anchor='schema'>
|
||||
<p>TODO.</p>
|
||||
</section1>
|
||||
</xep>
|
Loading…
Reference in New Issue
Block a user