From 2e6efba85c8390f162b9e1596ee9a1fa37cf9b82 Mon Sep 17 00:00:00 2001
From: "Ruslan N. Marchenko"
Date: Wed, 29 Jul 2020 07:38:35 +0200
Subject: [PATCH 1/6] Correct MAM UID "not-found" note
---
xep-0313.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xep-0313.xml b/xep-0313.xml
index 8a6ddb2c..7538d1a4 100644
--- a/xep-0313.xml
+++ b/xep-0313.xml
@@ -430,7 +430,7 @@
]]>
- If any UID requested by the client in any of the 'before-id', 'after-id' or 'ids' form fields, the server MUST return an item-not-found error in response to the query.
+ If any UID requested by the client in any of the 'before-id', 'after-id' or 'ids' form fields is not present in the archive, the server MUST return an item-not-found error in response to the query.
From 4b020e18f1d579d37566417556f7db0464cb7b1d Mon Sep 17 00:00:00 2001
From: Florian Schmaus
Date: Tue, 4 Aug 2020 12:49:04 +0200
Subject: [PATCH 2/6] XEP-0440: Version 0.2.0 of "XEP-0440: SASL
Channel-Binding Type Capability"
---
xep-0440.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 61 insertions(+), 4 deletions(-)
diff --git a/xep-0440.xml b/xep-0440.xml
index bbdbfadf..b54764c3 100644
--- a/xep-0440.xml
+++ b/xep-0440.xml
@@ -23,6 +23,15 @@
sasl-cb-types
&flow;
+
+ 0.2.0
+ 2020-08-04
+ fs
+
+ Discuss interaction with SASL mechanism and add security considerations.
+ Recommend implementation of tls-server-end-point.
+
+
0.1.0
2020-06-14
@@ -88,11 +97,56 @@
+
+
+ Some channel-binding enabled SASL mechanisms reflect the server's
+ presumed channel-binding abilities back to the server. This prevents
+ SASL-mechanism stripping attacks, where a Man in the Middle (MITM)
+ removes certain SASL mechanisms in an attempt to downgrade the
+ mechanism choosen for authentication to a non-channel-binding enabled
+ one. An example of a SASL mechanism family with this feature is
+ &rfc5802;. This standard specifies the gs2-cbind-flag. The flag has a
+ tristate value of "I don't support channel-binding" (n), "I think you
+ do not support channel-binding, but I do" (y), or, "Let us use
+ channel-binding type X" (p).
+
+ Clients using the information provided
+ via <sasl-channel-binding/> MAY want to indicate to the server
+ that they do not support channel-binding (even if they do) if no
+ mutual supported channel-binding type was found. The only alternative
+ is, that the client signals the server that he believes that the server
+ does not support channel binding. But this may cause the server to
+ terminate the connection, because it indicates a potential ongoing
+ SASL-mechanism stripping attack.
+
+
+
- The author belives that this document itself does not yield any
- new security considerations.Hopefully somebody will correct him, in
- case he is wrong.
+ If a client signals to the server that he does not support
+ channel binding, because it found no mutual supported
+ channel-binding types, another MITM attack
+ vector is introduced. An active attacker could replace the
+ <sasl-channel-binding;> list with channel bindings unlikely
+ (or impossible) to be supported by the client. If the client is
+ configured to use non-channel-binding SASL mechanisms as a fallback,
+ this could be used to downgrade the connection security. Note that
+ this attack is a different one than the SASL-mechanism stripping one:
+ Here the attacker tempers with the announced channel-binding types,
+ i.e., the values within <sasl-channel-binding;>
+
+ Depending on the application's security policy, clients may
+ refrain from falling back to non-channel-binding SASL mechanisms
+ if no mutual supported channel-binding type is available.
+ Alternatively, they may try channel-binding with a supported type
+ nevertheless. To mitigate the attack describe above, clients
+ could "pin" the announced channel bindings types by a service. In that
+ case, implementations may want to allow the set of pinned channel-binding
+ types to be extended to stronger ones.
+
+ As further mitigation, it is RECOMMENDED to implement the
+ channel-binding type tls-server-end-point (&rfc5929;) to increase the
+ probability of a mutual supported channel-binding type.
@@ -117,7 +171,10 @@
Thanks to Sam Whited for the discussion about the underlying
- issue and incentivizing me to come up with this extension.
+ issue and incentivizing me to come up with this extension. Further
+ thanks goes to Ruslan N. Marchenko for pointing out the possible
+ MITM attack vector. Last but not least, Dave Cridland provided
+ valuable feedback.
From d08ec2832d09b8851a777a8fc5a2ebf77e3ffd03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?=
Date: Tue, 4 Aug 2020 17:43:09 +0200
Subject: [PATCH 3/6] XEP-0313: add revision block
---
xep-0313.xml | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/xep-0313.xml b/xep-0313.xml
index 7538d1a4..2d7ff405 100644
--- a/xep-0313.xml
+++ b/xep-0313.xml
@@ -28,6 +28,14 @@
&mwild;
&ksmith;
+
+ 0.7.1
+ 2020-08-04
+ rufferson
+
+ Fix missing part of sentence to make more sense
+
+
0.7.0
2020-03-20
From f7e43277b8628ce6b650524ca5c2363e058718ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?=
Date: Tue, 4 Aug 2020 17:48:43 +0200
Subject: [PATCH 4/6] XEP-0048: Deprecate in favour of XEP-0402
---
xep-0048.xml | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/xep-0048.xml b/xep-0048.xml
index ecdb5914..305aed56 100644
--- a/xep-0048.xml
+++ b/xep-0048.xml
@@ -10,7 +10,7 @@
This specification defines an XML data format for use by XMPP clients in storing bookmarks to mult-user chatrooms and web pages. The chatroom bookmarking function includes the ability to auto-join rooms on login.
&LEGALNOTICE;
0048
- Draft
+ Deprecated
Standards Track
Standards
@@ -19,7 +19,9 @@
XEP-0223
-
+
+ XEP-0402
+
bookmarks
http://www.xmpp.org/schemas/bookmarks.xsd
@@ -32,6 +34,12 @@
&pgmillard;
&stpeter;
+
+ 1.2
+ 2020-08-04
+ XEP Editor (jsc)
+ Deprecate in favour of XEP-0402
+
1.1
2007-11-07
From 55f7a2073d03bd8710fa3781118800a76a569ca0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?=
Date: Tue, 4 Aug 2020 17:54:23 +0200
Subject: [PATCH 5/6] XEP-0411: Issue Last Call
---
xep-0411.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xep-0411.xml b/xep-0411.xml
index 01d9a105..1df087fa 100644
--- a/xep-0411.xml
+++ b/xep-0411.xml
@@ -10,7 +10,8 @@
This specification describes a method to migrate to PEP based bookmarks without loosing compatibility with client that still use Private XML.
&LEGALNOTICE;
0411
- Deferred
+ Proposed
+ 2020-08-18
Standards Track
Standards
Council
From 11b4f4ed6708c403f4bf285f53b033b6e204deef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?=
Date: Tue, 4 Aug 2020 17:54:48 +0200
Subject: [PATCH 6/6] XEP-0352: Issue Last Call
---
xep-0352.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xep-0352.xml b/xep-0352.xml
index 5dff6569..3502747a 100644
--- a/xep-0352.xml
+++ b/xep-0352.xml
@@ -10,7 +10,8 @@
This document defines a way for the client to indicate its active/inactive state.
&LEGALNOTICE;
0352
- Deferred
+ Proposed
+ 2020-08-18
2017-12-21
2017-11-15
2017-03-28