From 779af896e2f4e94670c837ac427b1c5c12cb4293 Mon Sep 17 00:00:00 2001 From: Daniel Gultsch Date: Sun, 8 Mar 2020 17:59:33 +0100 Subject: [PATCH] XEP-0384: server side requirments --- xep-0384.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/xep-0384.xml b/xep-0384.xml index e115e33f..b709b101 100644 --- a/xep-0384.xml +++ b/xep-0384.xml @@ -596,6 +596,15 @@

When a client receives the message from a device id that is not on the device list, it SHOULD try to retrieve that user's devices node directly to ensure their local cached version of the devices list is up-to-date.

+ +

While OMEMO uses a Pubsub Service (&xep0060;) on the user’s account it has more requirments than those defined in &xep0163;. The requirements are:

+
    +
  • The pubsub service MUST persist node items.
    • +
  • The pubsub service MUST support publishing options as defined XEP-0060 §7.1.5
    • +
  • The pubsub service MUST support 'max' as a value for the 'pubsub#persist_items' node configuration
    • +
  • The pubsub service SHOULD support the 'open' access model for node configuration and 'pubsub#access_model' as a publish option.
    • +
+

Clients MUST NOT use a newly built session to transmit data without user intervention. If a client were to opportunistically start using sessions for sending without asking the user whether to trust a device first, an attacker could publish a fake device for this user, which would then receive copies of all messages sent by/to this user. A client MAY use such "not (yet) trusted" sessions for decryption of received messages, but in that case it SHOULD indicate the untrusted nature of such messages to the user.