1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-12-21 23:28:51 -05:00

XEP-0384: server side requirments

This commit is contained in:
Daniel Gultsch 2020-03-08 17:59:33 +01:00
parent 20e29ee94b
commit 779af896e2

View File

@ -596,6 +596,15 @@
<p>When a client receives the message from a device id that is not on the device list, it SHOULD try to retrieve that user's devices node directly to ensure their local cached version of the devices list is up-to-date.</p>
</section1>
<section1 topic='Implementation Notes' anchor='impl'>
<section2 topic='Server side requirements' anchor='server-side'>
<p>While OMEMO uses a Pubsub Service (&xep0060;) on the users account it has more requirments than those defined in &xep0163;. The requirements are:</p>
<ul>
<li>The pubsub service MUST persist node items.</li>
<li>The pubsub service MUST support publishing options as defined <link url='https://xmpp.org/extensions/xep-0060.html#publisher-publish-options'><cite>XEP-0060</cite> §7.1.5</link></li>
<li>The pubsub service MUST support 'max' as a value for the 'pubsub#persist_items' node configuration</li>
<li>The pubsub service SHOULD support the 'open' access model for node configuration and 'pubsub#access_model' as a publish option.</li>
</ul>
</section2>
</section1>
<section1 topic='Security Considerations' anchor='security'>
<p>Clients MUST NOT use a newly built session to transmit data without user intervention. If a client were to opportunistically start using sessions for sending without asking the user whether to trust a device first, an attacker could publish a fake device for this user, which would then receive copies of all messages sent by/to this user. A client MAY use such "not (yet) trusted" sessions for decryption of received messages, but in that case it SHOULD indicate the untrusted nature of such messages to the user.</p>