From 5f2683ed45d325fcfbccff91bcbdc625f5ddccf3 Mon Sep 17 00:00:00 2001 From: Peter Saint-Andre Date: Tue, 7 Oct 2008 16:02:12 +0000 Subject: [PATCH] 0.9: clarified stanza handling git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@2338 4b5297f7-1745-476d-ba37-a9c6900126ab --- xep-0186.xml | 53 +++++++++++++++++++++++++++++++++++----------------- 1 file changed, 36 insertions(+), 17 deletions(-) diff --git a/xep-0186.xml b/xep-0186.xml index e2c90127..a15936b0 100644 --- a/xep-0186.xml +++ b/xep-0186.xml @@ -24,6 +24,12 @@ None invisible &stpeter; + + 0.9 + 2008-10-07 + psa +

Further clarified server and client handling of stanzas during an invisibility session.

+
0.8 2008-10-06 @@ -121,17 +127,35 @@ type='result'/> ]]>

(Standard XMPP stanza errors apply; see RFC 3920 and &xep0086;.)

-

If the client enters invisible mode after having previously sent undirected presence with no 'type' attribute (e.g., after sending initial presence), the server MUST send &UNAVAILABLE; presence from the specified resource to all contacts who would receive unavailable presence if the client sent &UNAVAILABLE;.

-

While the client is in invisible mode, the server:

-
    -
  1. MUST NOT broadcast presence notifications as a result of receiving any subsequent undirected presence notifications from the client.

  2. -
  3. MUST deliver directed presence stanzas generated by the client.

  4. -
  5. MUST deliver inbound &PRESENCE; stanzas.

  6. -
  7. SHOULD deliver inbound &MESSAGE; stanzas whose 'to' address is the bare JID &LOCALBARE; of the user (subject to standard XMPP stanza handling rules).

  8. -
  9. MUST deliver inbound &MESSAGE; and &IQ; stanzas whose 'to' address is the full JID &LOCALFULL; corresponding to the resource of the client.

  10. -
  11. MUST deliver outbound &MESSAGE; and &IQ; stanzas generated by the client (for an important note regarding presence leaks, see the Security Considerations section of this document).

  12. -
-

If after sending directed presence the client then sends &UNAVAILABLE;, the server MUST deliver that unavailable presence only to the entities to which the client sent directed presence after going invisible.

+

When the client enters invisible mode in the midst of a presence session (i.e., after having previously sent undirected presence with no 'type' attribute), the server MUST send &UNAVAILABLE; presence from the specified resource to all contacts who would receive unavailable presence if the client sent &UNAVAILABLE;.

+

The following sections define how the server and the client shall handle inbound and outbound XML stanzas while the client is invisible.

+ +

While the client is in invisible mode, the server:

+
    +
  1. MUST NOT broadcast presence notifications as a result of receiving any subsequent undirected presence notifications from the client.

  2. +
  3. MUST deliver directed presence stanzas generated by the client.

  4. +
  5. MUST deliver inbound &PRESENCE; stanzas.

  6. +
  7. SHOULD deliver inbound &MESSAGE; stanzas whose 'to' address is the bare JID &LOCALBARE; of the user (subject to standard XMPP stanza handling rules).

  8. +
  9. MUST deliver inbound &MESSAGE; and &IQ; stanzas whose 'to' address is the full JID &LOCALFULL; corresponding to the resource of the client.

  10. +
  11. MUST deliver outbound &MESSAGE; and &IQ; stanzas generated by the client (for an important note regarding presence leaks, see the Security Considerations section of this document).

  12. +
  13. +

    If there are no other available resources, MUST respond to all IQ-get requests and presence probes sent to the account's bare JID as if the account were offline; this includes but is not limited to the following:

    +
      +
    • If the server responds to a presence probe, the last available presence MUST indicate that the user is unavailable, and if a time is indicated it MUST be the time when the client went invisibile.
    • +
    • If the server responds to a &xep0012; request, the last activity time MUST be the time when the client went invisible.
    • +
    • If the server responds to a &xep0030; items request, the response MUST NOT include the invisible resource as one of the account's available items.
    • +
    +
  14. +
  15. If after sending directed presence the client then sends &UNAVAILABLE;, the server MUST deliver that unavailable presence only to the entities to which the client sent directed presence after going invisible.

  16. +
+
+ +

While the client is in invisible mode, the client:

+
    +
  • MUST maintain a temporary list of entities with which communication is allowed, and prompt the user before adding any entity to that "communicants list" for this invisibility session; the list MAY be auto-populated with trusted entities if so configured by the user.

  • +
  • MUST prompt the user before sending any outbound traffic (message, presence, or IQ stanza) to a contact even if the user generated such traffic; upon receiving authorization from the user, the client SHOULD add the authorized entity to the communicants list for this invisibility session.

  • +
+

In order for a client to become visible again, it shall send an IQ-set with no 'to' address (thus handled by the user's server) containing a <visible/> element qualified by the 'urn:xmpp:invisible:0' namespace &VNOTE;.

@@ -186,12 +210,7 @@ -

It is important to recognize that invisibility can be defeated without the use of privacy lists, intelligent stanza handling by the server, and an awareness of context on the part of a client. For example:

-
    -
  • If a user attempts to send a message, IQ, or presence stanza to a contact, the user can inadvertently leak his or her presence; therefore the client SHOULD warn the user before allowing the user to generate any outbound traffic, including "is-composing" events as defined in &xep0085;.
  • -
  • If a user usually logs in as the same resource (e.g., "Home"), a contact can send an IQ request to that resource's full JID using &xep0012;, &xep0030;, &xep0090;, or &xep0092; and receive a reply, thus providing information that reveals the user's availability.
  • -
  • If a contact sends a Last Activity request to the user's bare JID, the user's server normally would reveal information about the user's availability; however, while the user is in invisible mode the server MUST return a &unavailable; error to such contacts.
  • -
+

No matter how it is implemented, invisibility can be defeated and presence leaks can occur without careful stanza handling on the part of the server and the client. Use of the protocol defined here does not guarantee that presence leaks will not occur, either technically or socially (e.g., if the user reveals his presence to one contact but not another and those contacts are in communication).