From 7e3e4fc9f622903da4a5c899ebd25060bca1302c Mon Sep 17 00:00:00 2001 From: Peter Saint-Andre Date: Mon, 6 Jul 2009 17:20:20 +0000 Subject: [PATCH] 1.2rc1 git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@3308 4b5297f7-1745-476d-ba37-a9c6900126ab --- xep-0175.xml | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/xep-0175.xml b/xep-0175.xml index e8a73a21..b2957084 100644 --- a/xep-0175.xml +++ b/xep-0175.xml @@ -21,6 +21,12 @@ N/A &stpeter; + + 1.2rc1 + 2009-07-06 + psa +

Provided more detailed recommendations regarding usage restrictions for anonymous users.

 + 1.1 2007-11-07 @@ -51,16 +57,18 @@

RFC 3920 allows the use of any SASL mechanism (see &rfc4422;) in XMPP authentication, including the SASL ANONYMOUS mechanism (see &rfc4505;). This document specifies a recommended protocol flow for such use.

Note: This document is provided for discussion purposes in order to clarify the usage of SASL ANONYMOUS in XMPP systems. It is not meant to supersede the text in RFC 3920, RFC 4422, or RFC 4505. However, the recommendations in this document may be folded into rfc3920bis.

- -

RFC 3920 specifies that after an XMPP client authenticates with an XMPP server, it must bind a resource to the XML stream so that XML stanzas can be routed to the client. In essence there are three resource binding scenarios:

-
    -
  1. The client specifies a desired resource identifier and the server accepts it.
    2. -
  2. The client specifies a desired resource identifier but the server does not accept it, instead overruling the client and assigning a resource identifier.
    3. -
  3. The client asks the server to assign a resource identifier and the server does so.
    4. + +

    An XMPP server implementation SHOULD NOT enable the SASL ANONYMOUS mechanism by default, but instead SHOULD force an administrator to explicitly enable support in any given deployment.

    +

    An XMPP server SHOULD assign a temporary, unique bare JID &LOCALBARE; to a client that authenticates with SASL ANONYMOUS. Although the method for ensuring the uniqueness of localpart is a matter of implementation, it is RECOMMENDED for the localpart to be a UUID as specified in &rfc4122;.

    +

    After a client authenticates using the SASL ANONYMOUS mechanism, it MUST bind a resource; the server SHOULD ignore the resource identifier provided by the client (if any) and instead assign a resource identifier that it generates on behalf of the client.

    +

    Because an anonymous user is unknown to the server, the server SHOULD appropriately restrict the user's access in order to limit the possibility of malicious behavior, such as denial of service attacks as described in &xep0205;. The following restrictions are encouraged:

    +
      +

    1. The user SHOULD NOT be allowed to initiate communication with entities hosted at remote servers.

      2. +

    2. The user SHOULD NOT be allowed to establish long-term relationships such as presence subscriptions, &xep0045; registrations, or &xep0060; subscriptions; however, if the server allows this, it MUST cancel such relationships when the user's session ends.

      3. +

    3. The user SHOULD NOT be allowed to permanently store information on the server (e.g., via &xep0049;); however, if the server allows this, it MUST remove such information when the user's session ends.

      4. +

    4. The user SHOULD NOT be allowed to send large numbers of XMPP stanzas or otherwise use large amounts of system resources (e.g., by binding multiple resource identifiers or creating multiple &xep0065; sessions).

    -

    No matter which scenario is enacted, at the end of the process the server informs the client of its full JID &LOCALFULL;. In particular, it might be helpful for an XMPP server to assign a full JID to the client (i.e., not just the resource identifier) if it authenticates with SASL ANONYMOUS, and to ensure that the "bare JID" portion &LOCALBARE; is unique in the context of the domain served by the server.

    -

    The method for ensuring the uniqueness of the node identifier is a matter of implementation. It is RECOMMENDED for the node identifier to be a UUID as specified in &rfc4122;.

    -

    Although RFC 4505 allows the initiating entity (client) to provide so-called "trace data" when authenticating via SASL ANONYMOUS, it is NOT RECOMMENDED to include trace data as the XML character data of the <auth/> element (instead, the <auth/> element SHOULD be empty). However, if trace data is included, the server MUST NOT use it for any purpose other than tracing (e.g., in server logs).

    +

    Although RFC 4505 allows the initiating entity (client) to provide so-called "trace data" when authenticating via SASL ANONYMOUS, it is NOT RECOMMENDED for the client to include trace data as the XML character data of the <auth/> element (instead, the <auth/> element SHOULD be empty). However, if trace data is included, the server MUST NOT use it for any purpose other than tracing (e.g., in server logs).

    The RECOMMENDED protocol flow following TLS negotiation (refer to RFC 3920) is as follows:

    @@ -146,7 +154,7 @@ - somenode@example.com/someresource + 59BEC12A-9BAB-452B-88F8-D1563F09E549@example.com/2384F02A7E01 ]]> @@ -154,7 +162,7 @@
-

This document introduces no security considerations or concerns above and beyond those discussed in RFC 3920.

+

The security considerations discussed in RFC 3920 and RFC 4505 apply to the use of SASL ANONYMOUS in XMPP; specific suggestions regarding usage restrictions for anonymous users are provided under the Recommendations section of this document.

This document requires no interaction with &IANA;.